From 2bc5386e52636c91aa590cf9367696416cacb1cd Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Mon, 12 May 2025 17:11:01 +0800 Subject: [PATCH] sync patches from upstream (cherry picked from commit f3600b3ea049f5505b3a1bda79713554d4a782de) --- 0176-add-registry-ut-test.patch | 207 +++++++ 0177-add-loongarch64-support.patch | 39 ++ 0178-add-storage-driver-ut.patch | 353 +++++++++++ 0179-iSulad-support-shim-stats-cmd.patch | 63 ++ 0180-fix-storage-driver-ut.patch | 24 + ...-apply-patch-for-lib-shim-v2-install.patch | 25 + ...isolation-memory-leak-and-meanless-r.patch | 262 ++++++++ 0183-add-dt-for-cri-v1.patch | 575 ++++++++++++++++++ ...-alive-read-pid-ppid-info-in-runtime.patch | 454 ++++++++++++++ 0185-sandbox-sandboxer-code-isolation.patch | 275 +++++++++ 0186-UT-sandboxer-code-isolation.patch | 111 ++++ ...-remove-uncalled-functions-in-cri-v1.patch | 517 ++++++++++++++++ ...memory-leak-in-fill-sandbox-metadate.patch | 71 +++ ...init-and-verify-sandbox-ready-when-c.patch | 44 ++ ...cedure-of-start-pod-and-set-up-netwo.patch | 399 ++++++++++++ 0191-bugfix-dereference-null-pointer.patch | 36 ++ 0192-modify-save-step-in-run-sandbox.patch | 158 +++++ 0193-add-dt-for-cri-v1.patch | 209 +++++++ ...fy-the-CreateContainer-failed-return.patch | 26 + ...ests-for-sandbox-and-shim-controller.patch | 379 ++++++++++++ 0196-add-remove-pod-in-cri-stats.patch | 26 + ...coco-support-confidential-containers.patch | 539 ++++++++++++++++ ...sula-search-ut-in-registry_images_ut.patch | 169 +++++ ...work_ready-from-metadata-to-state-fo.patch | 80 +++ ...en-create-failed-to-be-consisent-wit.patch | 91 +++ iSulad.spec | 37 +- 26 files changed, 5168 insertions(+), 1 deletion(-) create mode 100644 0176-add-registry-ut-test.patch create mode 100644 0177-add-loongarch64-support.patch create mode 100644 0178-add-storage-driver-ut.patch create mode 100644 0179-iSulad-support-shim-stats-cmd.patch create mode 100644 0180-fix-storage-driver-ut.patch create mode 100644 0181-apply-patch-for-lib-shim-v2-install.patch create mode 100644 0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch create mode 100644 0183-add-dt-for-cri-v1.patch create mode 100644 0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch create mode 100644 0185-sandbox-sandboxer-code-isolation.patch create mode 100644 0186-UT-sandboxer-code-isolation.patch create mode 100644 0187-remove-uncalled-functions-in-cri-v1.patch create mode 100644 0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch create mode 100644 0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch create mode 100644 0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch create mode 100644 0191-bugfix-dereference-null-pointer.patch create mode 100644 0192-modify-save-step-in-run-sandbox.patch create mode 100644 0193-add-dt-for-cri-v1.patch create mode 100644 0194-modify-the-CreateContainer-failed-return.patch create mode 100644 0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch create mode 100644 0196-add-remove-pod-in-cri-stats.patch create mode 100644 0197-coco-support-confidential-containers.patch create mode 100644 0198-isolate-isula-search-ut-in-registry_images_ut.patch create mode 100644 0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch create mode 100644 0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch diff --git a/0176-add-registry-ut-test.patch b/0176-add-registry-ut-test.patch new file mode 100644 index 0000000..494d929 --- /dev/null +++ b/0176-add-registry-ut-test.patch @@ -0,0 +1,207 @@ +From cdb0e2b6431b4212b809ab1edf954d6b3a702a20 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E6=AD=A6=E7=A7=AF=E8=B6=85?= +Date: Mon, 30 Dec 2024 17:28:23 +0800 +Subject: [PATCH 176/198] add registry ut test + +--- + test/image/oci/registry/CMakeLists.txt | 1 + + test/image/oci/registry/registry_ut.cc | 123 +++++++++++++++++++++++++ + 2 files changed, 124 insertions(+) + +diff --git a/test/image/oci/registry/CMakeLists.txt b/test/image/oci/registry/CMakeLists.txt +index 6166c2d0..d78bb7d3 100644 +--- a/test/image/oci/registry/CMakeLists.txt ++++ b/test/image/oci/registry/CMakeLists.txt +@@ -71,5 +71,6 @@ target_include_directories(${EXE} PUBLIC + ) + + target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} -lcrypto -lyajl -lz libhttpclient) ++set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,map_new -Wl,--wrap,util_common_calloc_s -Wl,--wrap,pthread_mutex_init -Wl,--wrap,pthread_cond_init") + add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml) + set_tests_properties(${EXE} PROPERTIES TIMEOUT 120) +diff --git a/test/image/oci/registry/registry_ut.cc b/test/image/oci/registry/registry_ut.cc +index 1503ee3b..4eacdb11 100644 +--- a/test/image/oci/registry/registry_ut.cc ++++ b/test/image/oci/registry/registry_ut.cc +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include "utils.h" + #include "utils_array.h" +@@ -45,6 +46,8 @@ + #include "auths.h" + #include "oci_image_mock.h" + #include "isulad_config_mock.h" ++#include "map.h" ++#include "mock.h" + + using ::testing::Args; + using ::testing::ByRef; +@@ -56,6 +59,55 @@ using ::testing::NotNull; + using ::testing::AtLeast; + using ::testing::Invoke; + ++static int g_pthread_mutex_init_count = 0; ++static int g_pthread_mutex_init_match = 1; ++ ++extern "C" { ++ DECLARE_WRAPPER_V(map_new, map_t *, (map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree)); ++ DEFINE_WRAPPER_V(map_new, map_t *, (map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree), (kvtype, comparator, kvfree)); ++ DECLARE_WRAPPER_V(pthread_mutex_init, int, (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr)); ++ DEFINE_WRAPPER_V(pthread_mutex_init, int, (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr), (__mutex, __mutexattr)); ++ DECLARE_WRAPPER_V(pthread_cond_init, int, (pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr)); ++ DEFINE_WRAPPER_V(pthread_cond_init, int, (pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr), (__cond, __cond_attr)); ++ DECLARE_WRAPPER_V(util_common_calloc_s, void *, (size_t size)); ++ DEFINE_WRAPPER_V(util_common_calloc_s, void *, (size_t size), (size)); ++} ++ ++/* ++*Repeatedly calling the function executes the wrapper function and original function in the following order: ++*wrapper function; original function, wrapper function; original function, original function, wrapper function;... ++*Similar to regular queues (1 means wrapper, 0 means original): 1; 0 1; 0 0 1; 0 0 0 1; ... ++*It's used to MOCK a function that repeat permutation. ++*If you want a regular queue, the variables needs to be assigned back to the initial value. ++*/ ++// extern int pthread_mutex_init (pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr) ++static int failed_pthread_mutex_init(pthread_mutex_t *__mutex,const pthread_mutexattr_t *__mutexattr) ++{ ++ g_pthread_mutex_init_count++; ++ if (g_pthread_mutex_init_count == g_pthread_mutex_init_match) { ++ g_pthread_mutex_init_match++; ++ g_pthread_mutex_init_count = 0; ++ return -1; ++ } else { ++ return __real_pthread_mutex_init(__mutex, __mutexattr); ++ } ++} ++ ++void *util_common_calloc_s_fail(size_t size) ++{ ++ return nullptr; ++} ++ ++static int failed_pthread_cond_init(pthread_cond_t *__restrict __cond,const pthread_condattr_t *__restrict __cond_attr) ++{ ++ return -1; ++} ++ ++static map_t *map_new_return_null(map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfree) ++{ ++ return nullptr; ++} ++ + std::string get_dir() + { + char abs_path[PATH_MAX] { 0x00 }; +@@ -655,6 +707,25 @@ TEST_F(RegistryUnitTest, test_pull_v1_image) + ASSERT_EQ(util_mkdir_p(mirror_dir.c_str(), 0700), 0); + ASSERT_EQ(create_certs(mirror_dir), 0); + ASSERT_EQ(init_log(), 0); ++ ++ // test utile common calloc fail ++ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail); ++ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1); ++ MOCK_CLEAR(util_common_calloc_s); ++ // test pthread mutex init fail ++ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init); ++ g_pthread_mutex_init_count = 0; ++ g_pthread_mutex_init_match = 1; ++ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1); ++ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1); ++ MOCK_CLEAR(pthread_mutex_init); ++ MOCK_SET_V(pthread_cond_init, failed_pthread_cond_init); ++ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1); ++ MOCK_CLEAR(pthread_cond_init); ++ MOCK_SET_V(map_new, map_new_return_null); ++ ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), -1); ++ MOCK_CLEAR(map_new); ++ + ASSERT_EQ(registry_init((char *)auths_dir.c_str(), (char *)certs_dir.c_str()), 0); + + EXPECT_CALL(m_http_mock, HttpRequest(::testing::_, ::testing::_, ::testing::_, ::testing::_)) +@@ -665,6 +736,30 @@ TEST_F(RegistryUnitTest, test_pull_v1_image) + ASSERT_EQ(registry_pull(&options), 0); + + ASSERT_EQ(registry_pull(&options), 0); ++ ++ // test empty options ++ ASSERT_EQ(registry_pull(nullptr), -1); ++ ++ // test utile common calloc fail ++ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail); ++ ASSERT_EQ(registry_pull(&options), -1); ++ MOCK_CLEAR(util_common_calloc_s); ++ ++ options.dest_image_name = nullptr; ++ ASSERT_EQ(registry_pull(&options), -1); ++ options.dest_image_name = (char *)"quay.io/coreos/etcd:v3.3.17-arm64"; ++ ++ options.image_name = nullptr; ++ ASSERT_EQ(registry_pull(&options), -1); ++ options.image_name = (char *)"quay.io/coreos/etcd:v3.3.17-arm64"; ++ ++ // test pthread mutex init fail ++ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init); ++ g_pthread_mutex_init_count = 0; ++ g_pthread_mutex_init_match = 1; ++ ASSERT_EQ(registry_pull(&options), -1); ++ ASSERT_EQ(registry_pull(&options), -1); ++ MOCK_CLEAR(pthread_mutex_init); + } + + TEST_F(RegistryUnitTest, test_login) +@@ -690,6 +785,21 @@ TEST_F(RegistryUnitTest, test_login) + options.auth.username = (char *)"test3"; + options.auth.password = (char *)"test3"; + ASSERT_EQ(registry_login(&options), 0); ++ ++ // test empty options ++ ASSERT_EQ(registry_login(nullptr), -1); ++ ++ // test utile common calloc fail ++ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail); ++ ASSERT_EQ(registry_login(&options), -1); ++ MOCK_CLEAR(util_common_calloc_s); ++ ++ // test pthread mutex init fail ++ MOCK_SET_V(pthread_mutex_init, failed_pthread_mutex_init); ++ g_pthread_mutex_init_count = 0; ++ g_pthread_mutex_init_match = 1; ++ ASSERT_EQ(registry_login(&options), -1); ++ MOCK_CLEAR(pthread_mutex_init); + } + + TEST_F(RegistryUnitTest, test_logout) +@@ -699,6 +809,9 @@ TEST_F(RegistryUnitTest, test_logout) + + ASSERT_EQ(registry_logout((char *)"test2.com"), 0); + ++ // test empty host ++ ASSERT_EQ(registry_logout(nullptr), -1); ++ + auth_data = util_read_text_file(auths_file.c_str()); + ASSERT_NE(strstr(auth_data, "hub-mirror.c.163.com"), nullptr); + free(auth_data); +@@ -837,6 +950,16 @@ TEST_F(RegistryUnitTest, test_search_image) + ASSERT_EQ(result->results[0]->is_automated, false); + ASSERT_EQ(result->results[0]->is_official, true); + ++ // test Invalid NULL param ++ options->search_name = nullptr; ++ ASSERT_EQ(registry_search(options, &result), -1); ++ options->search_name = util_strdup_s("index.docker.io/busybox"); ++ ++ // test utile common calloc fail ++ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail); ++ ASSERT_EQ(registry_search(options, &result), -1); ++ MOCK_CLEAR(util_common_calloc_s); ++ + free_imagetool_search_result(result); + + // test not found +-- +2.34.1 + diff --git a/0177-add-loongarch64-support.patch b/0177-add-loongarch64-support.patch new file mode 100644 index 0000000..90a0c33 --- /dev/null +++ b/0177-add-loongarch64-support.patch @@ -0,0 +1,39 @@ +From efefd9fb4137ecdf59973e55586a4bc50cff4ad3 Mon Sep 17 00:00:00 2001 +From: qiangxuhui +Date: Mon, 6 Jan 2025 09:46:11 +0800 +Subject: [PATCH 177/198] add loongarch64 support + +--- + src/daemon/modules/spec/specs_security.c | 1 + + src/utils/cutils/utils.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c +index b34aec7c..4a71a1b5 100644 +--- a/src/daemon/modules/spec/specs_security.c ++++ b/src/daemon/modules/spec/specs_security.c +@@ -332,6 +332,7 @@ static char *seccomp_trans_arch_for_docker(const char *arch) + { "SCMP_ARCH_PARISC", "parisc" }, + { "SCMP_ARCH_PARISC64", "parisc64" }, + { "SCMP_ARCH_RISCV64", "riscv64" }, ++ { "SCMP_ARCH_LOONGARCH64", "loong64" }, + { "SCMP_ARCH_ALL", "all" } + }; + for (i = 0; i < sizeof(arch_map) / sizeof(arch_map[0]); i++) { +diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c +index cf207acc..4db7d9ac 100644 +--- a/src/utils/cutils/utils.c ++++ b/src/utils/cutils/utils.c +@@ -1442,7 +1442,8 @@ static void normalized_host_arch(char **host_arch, struct utsname uts) + { "armhf", "arm" }, + { "armel", "arm" }, + { "mips64le", "mips64le" }, +- { "mips64el", "mips64le" } ++ { "mips64el", "mips64le" }, ++ { "loongarch64", "loong64" } + }; + size_t i = 0; + +-- +2.34.1 + diff --git a/0178-add-storage-driver-ut.patch b/0178-add-storage-driver-ut.patch new file mode 100644 index 0000000..a0609d3 --- /dev/null +++ b/0178-add-storage-driver-ut.patch @@ -0,0 +1,353 @@ +From 7321614a1097d4527f5968d1e3c7c1a06f6a9cd4 Mon Sep 17 00:00:00 2001 +From: wujichao +Date: Thu, 9 Jan 2025 16:15:25 +0800 +Subject: [PATCH 178/198] add storage driver ut + +--- + .../graphdriver/overlay2/driver_overlay2.c | 18 +- + test/image/oci/storage/layers/CMakeLists.txt | 2 + + .../oci/storage/layers/storage_driver_ut.cc | 174 ++++++++++++++++-- + 3 files changed, 169 insertions(+), 25 deletions(-) + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +index cc24909a..2b2e1eb3 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +@@ -26,6 +26,8 @@ + #include + #include + ++#include ++ + #include "isula_libutils/log.h" + #ifdef ENABLE_USERNS_REMAP + #include "isulad_config.h" +@@ -828,7 +830,7 @@ out: + return ret; + } + +-static int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver) ++STATIC int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver) + { + int ret = 0; + size_t i = 0; +@@ -875,7 +877,7 @@ out: + } + + #ifdef ENABLE_REMOTE_LAYER_STORE +-static int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver, ++STATIC int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver, + const struct driver_create_opts *create_opts) + { + int ret = -1; +@@ -1021,7 +1023,7 @@ out: + return ret; + } + +-static int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota) ++STATIC int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota) + { + int ret = 0; + int nret = 0; +@@ -1362,7 +1364,7 @@ out: + return ret; + } + +-static char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts, ++STATIC char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts, + const struct driver_mount_opts *mount_opts) + { + int nret = 0; +@@ -1405,7 +1407,7 @@ out: + return mount_data; + } + +-static char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts) ++STATIC char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts) + { + int nret = 0; + char *mount_data = NULL; +@@ -1523,7 +1525,7 @@ out: + return mount_data; + } + +-static char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver, ++STATIC char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver, + const struct driver_mount_opts *mount_opts) + { + int nret = 0; +@@ -1663,7 +1665,7 @@ out: + return ret; + } + +-static int rel_mount(const char *driver_home, const char *id, const char *mount_data) ++STATIC int rel_mount(const char *driver_home, const char *id, const char *mount_data) + { + int ret = 0; + char *mount_target = NULL; +@@ -2151,7 +2153,7 @@ out: + return ret; + } + +-static int check_lower_valid(const char *driver_home, const char *lower) ++STATIC int check_lower_valid(const char *driver_home, const char *lower) + { + int ret = 0; + char *abs_path = NULL; +diff --git a/test/image/oci/storage/layers/CMakeLists.txt b/test/image/oci/storage/layers/CMakeLists.txt +index c4384e8f..eae67833 100644 +--- a/test/image/oci/storage/layers/CMakeLists.txt ++++ b/test/image/oci/storage/layers/CMakeLists.txt +@@ -5,6 +5,8 @@ add_subdirectory(devmapper) + # storage_driver_ut + SET(DRIVER_EXE storage_driver_ut) + ++add_definitions(-DUNIT_TEST=ON) ++ + add_executable(${DRIVER_EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_regex.c +diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc +index 943fa073..79b29b71 100644 +--- a/test/image/oci/storage/layers/storage_driver_ut.cc ++++ b/test/image/oci/storage/layers/storage_driver_ut.cc +@@ -40,6 +40,20 @@ using ::testing::Invoke; + using ::testing::_; + using ::testing::FLAGS_gmock_catch_leaked_mocks; + ++extern "C" { ++ int set_layer_quota(const char *dir, const json_map_string_string *opts, const struct graphdriver *driver); ++ int do_create_remote_ro(const char *id, const char *parent, const struct graphdriver *driver, ++ const struct driver_create_opts *create_opts); ++ int append_default_quota_opts(struct driver_create_opts *ori_opts, uint64_t quota); ++ char *get_mount_opt_data_with_custom_option(size_t cur_size, const char *cur_opts, ++ const struct driver_mount_opts *mount_opts); ++ char *get_mount_opt_data_with_driver_option(size_t cur_size, const char *cur_opts, const char *mount_opts); ++ char *get_rel_mount_opt_data(const char *id, const char *rel_lower_dir, const struct graphdriver *driver, ++ const struct driver_mount_opts *mount_opts); ++ int rel_mount(const char *driver_home, const char *id, const char *mount_data); ++ int check_lower_valid(const char *driver_home, const char *lower); ++} ++ + std::string GetDirectory() + { + char abs_path[PATH_MAX] { 0x00 }; +@@ -121,7 +135,7 @@ protected: + void SetUp() override + { + MockDriverQuota_SetMock(&m_driver_quota_mock); +- std::string isulad_dir { "/tmp/isulad/" }; ++ std::string isulad_dir = "/opt/isulad_storege_driver_ut/"; + mkdir(isulad_dir.c_str(), 0755); + std::string root_dir = isulad_dir + "data"; + std::string run_dir = isulad_dir + "data/run"; +@@ -146,15 +160,15 @@ protected: + + struct storage_module_init_options *opts = (struct storage_module_init_options *)util_common_calloc_s(sizeof( + struct storage_module_init_options)); +- opts->storage_root = strdup(root_dir.c_str()); +- opts->storage_run_root = strdup(run_dir.c_str()); +- opts->driver_name = strdup("overlay"); ++ opts->storage_root = util_strdup_s(root_dir.c_str()); ++ opts->storage_run_root = util_strdup_s(run_dir.c_str()); ++ opts->driver_name = util_strdup_s("overlay"); + opts->driver_opts = (char **)util_common_calloc_s(5 * sizeof(char *)); +- opts->driver_opts[0] = strdup("overlay2.basesize=128M"); +- opts->driver_opts[1] = strdup("overlay2.override_kernel_check=true"); +- opts->driver_opts[2] = strdup("overlay2.skip_mount_home=false"); +- opts->driver_opts[3] = strdup("overlay2.mountopt=rw"); +- opts->driver_opts[4] = strdup("overlay2.skip_mount_home=true"); ++ opts->driver_opts[0] = util_strdup_s("overlay2.basesize=128M"); ++ opts->driver_opts[1] = util_strdup_s("overlay2.override_kernel_check=true"); ++ opts->driver_opts[2] = util_strdup_s("overlay2.skip_mount_home=false"); ++ opts->driver_opts[3] = util_strdup_s("overlay2.mountopt=rw"); ++ opts->driver_opts[4] = util_strdup_s("overlay2.skip_mount_home=true"); + opts->driver_opts_len = 4; + + EXPECT_CALL(m_driver_quota_mock, QuotaCtl(_, _, _, _)).WillRepeatedly(Invoke(invokeQuotaCtl)); +@@ -173,7 +187,7 @@ protected: + if (support_overlay) { + ASSERT_EQ(graphdriver_cleanup(), 0); + } +- std::string rm_command = "rm -rf /tmp/isulad/"; ++ std::string rm_command = "rm -rf /opt/isulad_storege_driver_ut/"; + ASSERT_EQ(system(rm_command.c_str()), 0); + } + +@@ -195,6 +209,134 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_layer_exists) + ASSERT_FALSE(graphdriver_layer_exists(incorrectId.c_str())); + } + ++TEST_F(StorageDriverUnitTest, test_set_layer_quota) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ ++ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts)); ++ ASSERT_NE(create_opts, nullptr); ++ create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string)); ++ ASSERT_NE(create_opts->storage_opt, nullptr); ++ create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *)); ++ create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *)); ++ create_opts->storage_opt->keys[0] = util_strdup_s("size"); ++ create_opts->storage_opt->values[0] = util_strdup_s(""); ++ create_opts->storage_opt->len = 1; ++ ASSERT_EQ(set_layer_quota("/opt/isulad_storege_driver_ut/", create_opts->storage_opt, nullptr), -1); ++ create_opts->storage_opt->keys[0] = util_strdup_s("notsize"); ++ ASSERT_EQ(set_layer_quota("/opt/isulad_storege_driver_ut/", create_opts->storage_opt, nullptr), -1); ++ free_driver_create_opts(create_opts); ++} ++ ++#ifdef ENABLE_REMOTE_LAYER_STORE ++TEST_F(StorageDriverUnitTest, test_do_create_remote_ro) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ ++ struct graphdriver *graph_driver = (struct graphdriver *)util_common_calloc_s(sizeof(struct graphdriver)); ++ ASSERT_NE(graph_driver, nullptr); ++ graph_driver->home = nullptr; ++ ASSERT_EQ(do_create_remote_ro(nullptr, nullptr, graph_driver, nullptr), -1); ++ graph_driver->home = "driver_home"; ++ ASSERT_EQ(do_create_remote_ro(nullptr, nullptr, graph_driver, nullptr), -1); ++ free(graph_driver); ++} ++#endif ++ ++TEST_F(StorageDriverUnitTest, test_append_default_quota_opts) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ ++ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts)); ++ ASSERT_NE(create_opts, nullptr); ++ create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string)); ++ ASSERT_NE(create_opts->storage_opt, nullptr); ++ create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *)); ++ create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *)); ++ create_opts->storage_opt->keys[0] = util_strdup_s("size"); ++ create_opts->storage_opt->values[0] = util_strdup_s("128M"); ++ create_opts->storage_opt->len = 1; ++ ASSERT_EQ(append_default_quota_opts(nullptr, 0), 0); ++ ASSERT_EQ(append_default_quota_opts(create_opts, 134217728), 0); // 134217728 = 128*1024*1024 ++ free_driver_create_opts(create_opts); ++} ++ ++TEST_F(StorageDriverUnitTest, test_get_mount_opt_data_with_custom_option) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ ++ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts)); ++ ASSERT_NE(mount_opts, nullptr); ++ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *)); ++ mount_opts->options[0] = util_strdup_s("ro"); ++ mount_opts->options_len = 1; ++ size_t cur_size = 0; ++ const char *cur_opts = "cur_opts"; ++ ASSERT_EQ(get_mount_opt_data_with_custom_option(cur_size, cur_opts, mount_opts), nullptr); ++ free_driver_mount_opts(mount_opts); ++} ++ ++TEST_F(StorageDriverUnitTest, test_get_mount_opt_data_with_driver_option) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts)); ++ ASSERT_NE(mount_opts, nullptr); ++ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *)); ++ mount_opts->options[0] = util_strdup_s("ro"); ++ size_t cur_size = 0; ++ const char *cur_opts = "cur_opts"; ++ ASSERT_EQ(get_mount_opt_data_with_driver_option(cur_size, cur_opts, mount_opts->options[0]), nullptr); ++ free_driver_mount_opts(mount_opts); ++} ++ ++TEST_F(StorageDriverUnitTest, test_get_rel_mount_opt_data) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; ++ struct driver_mount_opts * mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts)); ++ ASSERT_NE(mount_opts, nullptr); ++ mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *)); ++ mount_opts->options[0] = util_strdup_s("ro"); ++ mount_opts->options_len = 1; ++ const char *rel_lower_dir = "rel_lower_dir"; ++ std::string res { "ro,lowerdir=rel_lower_dir,upperdir=9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63/diff,workdir=9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63/work" }; ++ ASSERT_EQ(get_rel_mount_opt_data(id.c_str(), rel_lower_dir, nullptr, mount_opts), res); ++ free_driver_mount_opts(mount_opts); ++} ++ ++TEST_F(StorageDriverUnitTest, test_rel_mount) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ const char *mount_data = "mount_data"; ++ const char *driver_home = nullptr; ++ std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; ++ ASSERT_EQ(rel_mount(driver_home, id.c_str(), mount_data),-1); ++} ++ ++TEST_F(StorageDriverUnitTest, test_check_lower_valid) ++{ ++ if (!support_overlay) { ++ return; ++ } ++ const char *lower = "lower"; ++ const char *driver_home = nullptr; ++ ASSERT_EQ(check_lower_valid(driver_home, lower), -1); ++} ++ + TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw) + { + if (!support_overlay) { +@@ -202,17 +344,15 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw) + } + + std::string id { "eb29745b8228e1e97c01b1d5c2554a319c00a94d8dd5746a3904222ad65a13f8" }; +- struct driver_create_opts *create_opts; +- +- create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts)); ++ struct driver_create_opts *create_opts = (struct driver_create_opts *)util_common_calloc_s(sizeof(struct driver_create_opts)); + ASSERT_NE(create_opts, nullptr); + + create_opts->storage_opt = (json_map_string_string *)util_common_calloc_s(sizeof(json_map_string_string)); + ASSERT_NE(create_opts->storage_opt, nullptr); + create_opts->storage_opt->keys = (char **)util_common_calloc_s(sizeof(char *)); + create_opts->storage_opt->values = (char **)util_common_calloc_s(sizeof(char *)); +- create_opts->storage_opt->keys[0] = strdup("size"); +- create_opts->storage_opt->values[0] = strdup("128M"); ++ create_opts->storage_opt->keys[0] = util_strdup_s("size"); ++ create_opts->storage_opt->values[0] = util_strdup_s("128M"); + create_opts->storage_opt->len = 1; + + EXPECT_CALL(m_driver_quota_mock, IOCtl(_, _)).WillRepeatedly(Invoke(invokeIOCtl)); +@@ -231,7 +371,7 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer) + } + + std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; +- std::string merged_dir = "/tmp/isulad/data/overlay/" + id + "/merged"; ++ std::string merged_dir = "/opt/isulad_storege_driver_ut/data/overlay/" + id + "/merged"; + struct driver_mount_opts *mount_opts = nullptr; + char* mount_dir = nullptr; + +@@ -248,7 +388,7 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer) + mount_opts = (struct driver_mount_opts *)util_common_calloc_s(sizeof(struct driver_mount_opts)); + ASSERT_NE(mount_opts, nullptr); + mount_opts->options = (char **)util_common_calloc_s(1 * sizeof(char *)); +- mount_opts->options[0] = strdup("ro"); ++ mount_opts->options[0] = util_strdup_s("ro"); + mount_opts->options_len = 1; + + FLAGS_gmock_catch_leaked_mocks = false; +-- +2.34.1 + diff --git a/0179-iSulad-support-shim-stats-cmd.patch b/0179-iSulad-support-shim-stats-cmd.patch new file mode 100644 index 0000000..b2a542e --- /dev/null +++ b/0179-iSulad-support-shim-stats-cmd.patch @@ -0,0 +1,63 @@ +From ab9c9d71482e355e0015ac1c6331849f4ff98ee0 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Fri, 10 Jan 2025 11:51:52 +0800 +Subject: [PATCH 179/198] iSulad: support shim stats cmd + +--- + src/daemon/modules/runtime/shim/shim_rt_ops.c | 32 +++++++++++++++++-- + 1 file changed, 29 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c +index fce18ade..30b5e442 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c ++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c +@@ -779,11 +779,37 @@ int rt_shim_listpids(const char *id, const char *runtime, const rt_listpids_para + return 0; + } + ++static void transform_stats_info_from_runtime(struct Stats *stats, ++ struct runtime_container_resources_stats_info *info) ++{ ++ if (info == NULL) { ++ return; ++ } ++ info->pids_current = stats->pids_current; ++ info->cpu_use_nanos = stats->cpu_use_nanos; ++ info->cpu_system_use = stats->cpu_system_use; ++ info->mem_used = stats->mem_used; ++ info->mem_limit = stats->mem_limit; ++ info->rss_bytes = stats->rss_bytes; ++ info->inactive_file_total = stats->inactive_file_total; ++ info->page_faults = stats->page_faults; ++ info->major_page_faults = stats->major_page_faults; ++ info->swap_used = stats->swap_used; ++ info->swap_limit = stats->swap_limit; ++ info->blkio_read = stats->blkio_read; ++ info->blkio_write = stats->blkio_write; ++} ++ + int rt_shim_resources_stats(const char *id, const char *runtime, const rt_stats_params_t *params, + struct runtime_container_resources_stats_info *rs_stats) + { +- ERROR("rt_shim_resources_stats not impl"); +- return -1; ++ struct Stats ss = { 0 }; ++ if (shim_v2_stats(id, &ss) != 0) { ++ ERROR("rt_shim_stats failed"); ++ return -1; ++ } ++ transform_stats_info_from_runtime(&ss, rs_stats); ++ return 0; + } + + int rt_shim_resize(const char *id, const char *runtime, const rt_resize_params_t *params) +@@ -820,4 +846,4 @@ int rt_shim_kill(const char *id, const char *runtime, const rt_kill_params_t *pa + int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params) + { + return 0; +-} +\ No newline at end of file ++} +-- +2.34.1 + diff --git a/0180-fix-storage-driver-ut.patch b/0180-fix-storage-driver-ut.patch new file mode 100644 index 0000000..355860d --- /dev/null +++ b/0180-fix-storage-driver-ut.patch @@ -0,0 +1,24 @@ +From 0c17c332565f32ea59f67dfc67bf32cda5660372 Mon Sep 17 00:00:00 2001 +From: wujichao +Date: Tue, 14 Jan 2025 14:33:11 +0800 +Subject: [PATCH 180/198] fix storage driver ut + +--- + test/image/oci/storage/layers/storage_driver_ut.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc +index 79b29b71..3a530715 100644 +--- a/test/image/oci/storage/layers/storage_driver_ut.cc ++++ b/test/image/oci/storage/layers/storage_driver_ut.cc +@@ -138,6 +138,7 @@ protected: + std::string isulad_dir = "/opt/isulad_storege_driver_ut/"; + mkdir(isulad_dir.c_str(), 0755); + std::string root_dir = isulad_dir + "data"; ++ mkdir(root_dir.c_str(), 0755); + std::string run_dir = isulad_dir + "data/run"; + std::string data_dir = GetDirectory() + "/data"; + +-- +2.34.1 + diff --git a/0181-apply-patch-for-lib-shim-v2-install.patch b/0181-apply-patch-for-lib-shim-v2-install.patch new file mode 100644 index 0000000..feca30b --- /dev/null +++ b/0181-apply-patch-for-lib-shim-v2-install.patch @@ -0,0 +1,25 @@ +From 7d181ca89304b78d8db73c0f41eab0bb07488e2b Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sun, 19 Jan 2025 18:09:59 +0800 +Subject: [PATCH 181/198] apply patch for lib shim v2 install + +Signed-off-by: zhongtao +--- + CI/install_depends.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CI/install_depends.sh b/CI/install_depends.sh +index ebeb79db..8b7c7201 100755 +--- a/CI/install_depends.sh ++++ b/CI/install_depends.sh +@@ -161,6 +161,7 @@ cd lib-shim-v2 + tar xf lib-shim-v2-* + dname=$(tar -tf lib-shim-v2-*.tar.gz | head -1) + cd $dname ++git apply ../0* + mkdir .cargo + cat >> ./.cargo/config << EOF + [source.crates-io] +-- +2.34.1 + diff --git a/0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch b/0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch new file mode 100644 index 0000000..752c17f --- /dev/null +++ b/0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch @@ -0,0 +1,262 @@ +From 98ae352fb43f3bf5aa1ac1ea2d3d6cee61cf856e Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 20 Jan 2025 22:44:56 +0800 +Subject: [PATCH 182/198] fix error macro isolation/ memory leak and meanless + reply file in sandbox ut + +Signed-off-by: zhongtao +--- + test/sandbox/CMakeLists.txt | 2 +- + test/sandbox/controller/CMakeLists.txt | 7 ++++-- + .../manager/controller_manager_ut.cc | 17 +++++++------- + .../sandboxer_controller_ut.cc | 1 + + .../controller/shim/shim_controller_ut.cc | 3 +++ + test/sandbox/sandbox/CMakeLists.txt | 22 ++++++++++++++----- + test/sandbox/sandbox_manager/CMakeLists.txt | 12 ++++++++-- + .../sandbox_manager/sandbox_manager_ut.cc | 2 ++ + 8 files changed, 48 insertions(+), 18 deletions(-) + +diff --git a/test/sandbox/CMakeLists.txt b/test/sandbox/CMakeLists.txt +index 38d7ccb9..1a9fedf6 100644 +--- a/test/sandbox/CMakeLists.txt ++++ b/test/sandbox/CMakeLists.txt +@@ -1,6 +1,6 @@ + project(iSulad_UT) + +-if (ENABLE_SANDBOXER) ++if (ENABLE_CRI_API_V1) + add_subdirectory(controller) + add_subdirectory(sandbox_manager) + add_subdirectory(sandbox) +diff --git a/test/sandbox/controller/CMakeLists.txt b/test/sandbox/controller/CMakeLists.txt +index d201872b..4273c2bd 100644 +--- a/test/sandbox/controller/CMakeLists.txt ++++ b/test/sandbox/controller/CMakeLists.txt +@@ -2,6 +2,9 @@ project(iSulad_UT) + + list(APPEND grpc_sandbox_type_srcs ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc) + list(APPEND grpc_sandbox_type_srcs ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc) +-add_subdirectory(sandboxer) +-add_subdirectory(manager) ++ ++if (ENABLE_SANDBOXER) ++ add_subdirectory(sandboxer) ++ add_subdirectory(manager) ++endif() + add_subdirectory(shim) +diff --git a/test/sandbox/controller/manager/controller_manager_ut.cc b/test/sandbox/controller/manager/controller_manager_ut.cc +index 705baaca..c60f8818 100644 +--- a/test/sandbox/controller/manager/controller_manager_ut.cc ++++ b/test/sandbox/controller/manager/controller_manager_ut.cc +@@ -16,12 +16,13 @@ + #include + #include "gtest/gtest.h" + #include "sandboxer_controller.h" +-#include "grpc_sandboxer_client_mock.h" + #include "controller_manager.h" + #include "controller_common.h" + #include "utils.h" + #include "isulad_config_mock.h" + #include "shim_controller.h" ++#include "controller.h" ++#include "grpc_sandboxer_client_mock.h" + + class ControllerManagerWrapper : public sandbox::ControllerManager { + public: +@@ -81,7 +82,7 @@ TEST_F(ControllerManagerTest, InitTestSucceed) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); + EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_TRUE(err.Empty()); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + FreeDummyServerconf(args); + } +@@ -96,7 +97,7 @@ TEST_F(ControllerManagerTest, InitTestSucceedWithEmptyConfig) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); + EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_TRUE(err.Empty()); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + FreeDummyServerconf(args); + } +@@ -111,7 +112,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithEmptySandboxerConfig) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); + EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Failed to load sandboxer controllers config")); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + FreeDummyServerconf(args); + } +@@ -126,7 +127,7 @@ TEST_F(ControllerManagerTest, InitTestSucceedWithNullConfig) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); + EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_TRUE(err.Empty()); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + FreeDummyServerconf(args); + } +@@ -142,7 +143,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithDupShimConfig) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); + EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Sandboxer controller already registered, sandboxer:")); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + FreeDummyServerconf(args); + } + +@@ -191,7 +192,7 @@ TEST_F(ControllerManagerTest, InitTestFailedWithDupInit) + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(2).WillRepeatedly(testing::Return(args)); + EXPECT_TRUE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_TRUE(err.Empty()); +- EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_NE(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + EXPECT_FALSE(ControllerManagerWrapper::GetInstance()->Init(err)); + EXPECT_THAT(err.GetCMessage(), testing::HasSubstr("Sandboxer controller already registered,")); +@@ -211,6 +212,6 @@ TEST_F(ControllerManagerTest, InitTestFailedWithNullConf) + TEST_F(ControllerManagerTest, FindControllerTestFailedBeforeInit) + { + Errors err; +- EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController(SHIM_CONTROLLER_NAME), nullptr); ++ EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController(sandbox::SHIM_CONTROLLER_NAME), nullptr); + EXPECT_EQ(ControllerManagerWrapper::GetInstance()->GetController("vmm"), nullptr); + } +diff --git a/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc b/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc +index 726464e8..d31d5b95 100644 +--- a/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc ++++ b/test/sandbox/controller/sandboxer/sandboxer_controller/sandboxer_controller_ut.cc +@@ -32,6 +32,7 @@ protected: + void TearDown() override + { + m_contoller.reset(nullptr); ++ MockSandboxerClient_SetMock(nullptr); + } + + std::string m_sandboxer = "sandboxer"; +diff --git a/test/sandbox/controller/shim/shim_controller_ut.cc b/test/sandbox/controller/shim/shim_controller_ut.cc +index e43cc645..75a51797 100644 +--- a/test/sandbox/controller/shim/shim_controller_ut.cc ++++ b/test/sandbox/controller/shim/shim_controller_ut.cc +@@ -41,6 +41,9 @@ protected: + void TearDown() override + { + m_contoller.reset(nullptr); ++ MockCallback_SetMock(nullptr); ++ MockServiceContainerApi_SetMock(nullptr); ++ MockImageApi_SetMock(nullptr); + } + + std::string m_sandboxer = "shim"; +diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt +index 6dd6c3ee..d033c93f 100644 +--- a/test/sandbox/sandbox/CMakeLists.txt ++++ b/test/sandbox/sandbox/CMakeLists.txt +@@ -4,8 +4,24 @@ SET(EXE sandbox_ut) + + aux_source_directory(${CMAKE_BINARY_DIR}/grpc/src/api/services/sandbox/sandbox/types sandbox_type_srcs) + ++if(ENABLE_SANDBOXER) ++ set(sandboxer_srcs ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc ++ ) ++ set(sandbox_dir ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/client ++ ) ++else() ++ set(sandboxer_srcs "") ++ set(sandbox_dir "") ++endif() ++ + add_executable(${EXE} + ${sandbox_type_srcs} ++ ${sandboxer_srcs} + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/errors.cc +@@ -15,12 +31,10 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_task.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/sandbox/controller/controller_common.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/daemon_arguments.c +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/shim_controller_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/mailbox_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/err_msg.c +@@ -28,6 +42,7 @@ add_executable(${EXE} + + target_include_directories(${EXE} PUBLIC + ${GTEST_INCLUDE_DIR} ++ ${sandbox_dir} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config +@@ -37,9 +52,6 @@ target_include_directories(${EXE} PUBLIC + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/shim + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/shim/controller +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/client + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils +diff --git a/test/sandbox/sandbox_manager/CMakeLists.txt b/test/sandbox/sandbox_manager/CMakeLists.txt +index a7dd8c9d..45c55300 100644 +--- a/test/sandbox/sandbox_manager/CMakeLists.txt ++++ b/test/sandbox/sandbox_manager/CMakeLists.txt +@@ -4,8 +4,18 @@ SET(EXE sandbox_manager_ut) + + aux_source_directory(${CMAKE_BINARY_DIR}/grpc/src/api/services/sandbox/sandbox/types sandbox_type_srcs) + ++if(ENABLE_SANDBOXER) ++ set(sandboxer_srcs ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandboxer/controller/sandboxer_controller.cc ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc ++ ) ++else() ++ set(sandboxer_srcs "") ++endif() ++ + add_executable(${EXE} + ${sandbox_type_srcs} ++ ${sandboxer_srcs} + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1/api_v1.pb.cc + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/gogo.pb.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/errors.cc +@@ -19,8 +29,6 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/err_msg.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/daemon_arguments.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/grpc_sandboxer_client_mock.cc +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/sandboxer_controller_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks/shim_controller_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/sandbox_manager_ut.cc) + +diff --git a/test/sandbox/sandbox_manager/sandbox_manager_ut.cc b/test/sandbox/sandbox_manager/sandbox_manager_ut.cc +index 9e762039..276b6f4c 100644 +--- a/test/sandbox/sandbox_manager/sandbox_manager_ut.cc ++++ b/test/sandbox/sandbox_manager/sandbox_manager_ut.cc +@@ -154,7 +154,9 @@ TEST_F(SandboxManagerTest, TestCreateSandbox) + "{\"cri-sandboxers\": {\"kuasar\": {\"name\": \"vmm\",\"address\": \"/run/vmm-sandboxer.sock\"}}}"; + struct service_arguments *args = CreateDummyServerConf(daemonConfig); + ASSERT_NE(args, nullptr); ++#ifdef ENABLE_SANDBOXER + EXPECT_CALL(*isuladConfMock, ConfGetServerConf()).Times(1).WillOnce(testing::Return(args)); ++#endif + EXPECT_TRUE(ControllerManager::GetInstance()->Init(error)); + EXPECT_TRUE(error.Empty()); + +-- +2.34.1 + diff --git a/0183-add-dt-for-cri-v1.patch b/0183-add-dt-for-cri-v1.patch new file mode 100644 index 0000000..28fe618 --- /dev/null +++ b/0183-add-dt-for-cri-v1.patch @@ -0,0 +1,575 @@ +From 262707f0d14e7c42554875cab38fdef985c21acc Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 11 Jan 2025 15:04:54 +0800 +Subject: [PATCH 183/198] add dt for cri v1 + +Signed-off-by: zhongtao +--- + CI/install_depends.sh | 5 +- + .../container_cases/cri_default_namespace.sh | 39 ++++++------ + .../container_cases/cri_exec_sync.sh | 40 ++++++------ + CI/test_cases/container_cases/cri_pod_ip.sh | 51 +++++++-------- + CI/test_cases/container_cases/cri_stream.sh | 45 +++++++------ + CI/test_cases/container_cases/cri_test.sh | 40 ++++++------ + CI/test_cases/critest.sh | 52 +++++++++------ + CI/test_cases/helpers.sh | 63 +++++++++++++++++++ + 8 files changed, 205 insertions(+), 130 deletions(-) + +diff --git a/CI/install_depends.sh b/CI/install_depends.sh +index 8b7c7201..c7fb9563 100755 +--- a/CI/install_depends.sh ++++ b/CI/install_depends.sh +@@ -44,9 +44,8 @@ function make_crictl() + git clone https://gitee.com/duguhaotian/cri-tools.git + go version + cd cri-tools +- # crictl v1.18 cannot recognise the SecurityProfile seccomp of LinuxSandboxSecurityContext +- # and the LinuxContainerSecurityContext.has_seccomp() always false +- git checkout v1.22.0 ++ # update crictl to 1.25, used to test cri v1 alpha and cri v1. ++ git checkout v1.25.0 + make -j $nproc + echo "make cri-tools: $?" + cp ./build/bin/crictl ${builddir}/bin/ +diff --git a/CI/test_cases/container_cases/cri_default_namespace.sh b/CI/test_cases/container_cases/cri_default_namespace.sh +index d013c6fa..1f418947 100755 +--- a/CI/test_cases/container_cases/cri_default_namespace.sh ++++ b/CI/test_cases/container_cases/cri_default_namespace.sh +@@ -18,17 +18,8 @@ function set_up() + + msg_info "${test} starting..." + +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json +- +- check_valgrind_log +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE} +- +- start_isulad_with_valgrind +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE} +- +- isula load -i ${pause_img_path}/pause.tar +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE} ++ init_cri_conf $1 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} + + crictl pull ${image} + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE} +@@ -92,20 +83,28 @@ function test_cri_default_namespace_in_pod_fun() + + function tear_down() + { +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json +- check_valgrind_log +- start_isulad_with_valgrind ++ local ret=0 ++ restore_cri_conf ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret + } + + declare -i ans=0 + +-set_up || ((ans++)) +- +-for element in ${RUNTIME_LIST[@]}; ++for version in ${CRI_LIST[@]}; + do +- test_cri_default_namespace_in_pod_fun $element || ((ans++)) +-done ++ test="test_cri_default_namespace_in_pod_fun, use cri version => (${version})" ++ msg_info "${test} starting..." ++ ++ set_up $version || ((ans++)) + +-tear_down ++ for element in ${RUNTIME_LIST[@]}; ++ do ++ test_cri_default_namespace_in_pod_fun $element || ((ans++)) ++ done ++ ++ tear_down || ((ans++)) ++ msg_info "${test} finished with return ${ans}..." ++done + + show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/container_cases/cri_exec_sync.sh b/CI/test_cases/container_cases/cri_exec_sync.sh +index 97ea01ca..62352be5 100755 +--- a/CI/test_cases/container_cases/cri_exec_sync.sh ++++ b/CI/test_cases/container_cases/cri_exec_sync.sh +@@ -33,17 +33,8 @@ function do_pre() + + msg_info "${test} starting..." + +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json +- +- check_valgrind_log +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE} +- +- start_isulad_with_valgrind +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE} +- +- isula load -i ${pause_img_path}/pause.tar +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE} ++ init_cri_conf $1 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} + + crictl pull ${image} + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE} +@@ -116,10 +107,10 @@ function tear_down() + + function do_post() + { +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json +- +- check_valgrind_log +- start_isulad_with_valgrind ++ local ret=0 ++ restore_cri_conf ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret + } + + function do_test_t() +@@ -142,13 +133,20 @@ function do_test_t() + + declare -i ans=0 + +-do_pre || ((ans++)) +- +-for element in ${RUNTIME_LIST[@]}; ++for version in ${CRI_LIST[@]}; + do +- do_test_t $element || ((ans++)) +-done ++ test="test_cri_exec_sync_fun, use cri version => (${version})" ++ msg_info "${test} starting..." + +-do_post ++ do_pre $version || ((ans++)) ++ ++ for element in ${RUNTIME_LIST[@]}; ++ do ++ do_test_t $element || ((ans++)) ++ done ++ ++ do_post || ((ans++)) ++ msg_info "${test} finished with return ${ans}..." ++done + + show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/container_cases/cri_pod_ip.sh b/CI/test_cases/container_cases/cri_pod_ip.sh +index 7bf7833b..01c644f4 100755 +--- a/CI/test_cases/container_cases/cri_pod_ip.sh ++++ b/CI/test_cases/container_cases/cri_pod_ip.sh +@@ -12,8 +12,8 @@ source ../helpers.sh + + function do_pre() + { +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json ++ init_cri_conf $1 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} + + init_cni_conf $data_path + if [ $? -ne 0 ]; then +@@ -21,21 +21,14 @@ function do_pre() + TC_RET_T=$(($TC_RET_T+1)) + return $TC_RET_T + fi +- +- isula load -i ${pause_img_path}/pause.tar +- if [ $? -ne 0 ]; then +- msg_err "Failed to load pause image" +- TC_RET_T=$(($TC_RET_T+1)) +- return $TC_RET_T +- fi +- + } + + function do_post() + { +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json +- check_valgrind_log +- start_isulad_with_valgrind ++ local ret=0 ++ restore_cri_conf ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret + } + + function do_test() +@@ -104,21 +97,29 @@ function do_test() + } + + +-ret=0 ++ans=0 + +-do_pre +-if [ $? -ne 0 ];then +- let "ret=$ret + 1" +-fi +- +-for element in ${RUNTIME_LIST[@]}; ++for version in ${CRI_LIST[@]}; + do +- do_test $element ++ test="test_cri_default_namespace_fun, use cri version => (${version})" ++ msg_info "${test} starting..." ++ ++ do_pre $version || ((ans++)) + if [ $? -ne 0 ];then +- let "ret=$ret + 1" ++ let "ans=$ans + 1" + fi +-done + +-do_post ++ for element in ${RUNTIME_LIST[@]}; ++ do ++ do_test $element ++ if [ $? -ne 0 ];then ++ let "ans=$ans + 1" ++ fi ++ done ++ ++ do_post || ((ans++)) ++ ++ msg_info "${test} finished with return ${ans}..." ++done + +-show_result $ret "cni base test" ++show_result $ans "cni base test" +diff --git a/CI/test_cases/container_cases/cri_stream.sh b/CI/test_cases/container_cases/cri_stream.sh +index 43ed3891..e4918c23 100755 +--- a/CI/test_cases/container_cases/cri_stream.sh ++++ b/CI/test_cases/container_cases/cri_stream.sh +@@ -39,17 +39,8 @@ function do_pre() + + msg_info "${test} starting..." + +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json +- +- check_valgrind_log +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to stop isulad" && return ${FAILURE} +- +- start_isulad_without_valgrind +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start isulad" && return ${FAILURE} +- +- isula load -i ${pause_img_path}/pause.tar +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause image" && return ${FAILURE} ++ init_cri_conf $1 "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} + + crictl pull ${image} + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE} +@@ -130,13 +121,12 @@ function test_cri_attach + local test="test_cri_attach => (${FUNCNAME[@]})" + msg_info "${test} starting..." + +- nohup cricli attach -i ${cid} & ++ nohup cricli attach -ti ${cid} & + pid=$! + sleep 2 + + ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI attach operation" && ((ret++)) +- ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - attach failed, no IOCopy thread" && ((ret++)) + + kill -9 $pid + sleep 2 +@@ -169,10 +159,10 @@ function tear_down() + + function do_post() + { +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json +- +- stop_isulad_without_valgrind +- start_isulad_with_valgrind ++ local ret=0 ++ restore_cri_conf "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret + } + + function do_test_t() +@@ -198,13 +188,20 @@ function do_test_t() + + declare -i ans=0 + +-do_pre || ((ans++)) +- +-for element in ${RUNTIME_LIST[@]}; ++for version in ${CRI_LIST[@]}; + do +- do_test_t $element || ((ans++)) +-done ++ test="test_cri_stream_fun, use cri version => (${version})" ++ msg_info "${test} starting..." ++ ++ do_pre $version || ((ans++)) + +-do_post ++ for element in ${RUNTIME_LIST[@]}; ++ do ++ do_test_t $element || ((ans++)) ++ done ++ ++ do_post || ((ans++)) ++ msg_info "${test} finished with return ${ans}..." ++done + + show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/container_cases/cri_test.sh b/CI/test_cases/container_cases/cri_test.sh +index 88420761..ed333a28 100755 +--- a/CI/test_cases/container_cases/cri_test.sh ++++ b/CI/test_cases/container_cases/cri_test.sh +@@ -28,24 +28,21 @@ function do_pre() + { + sed -i "s#seccomp_localhost_ref#${data_path}/seccomp_localhost.json#g" ${data_path}/container-config-seccomp-localhost.json + +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json +- +- check_valgrind_log +- start_isulad_with_valgrind +- +- isula load -i ${pause_img_path}/pause.tar +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to load pause" && return ${FAILURE} +- ++ init_cri_conf $1 "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} ++ + isula pull busybox + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull busybox" && return ${FAILURE} ++ ++ return 0 + } + + function do_post() + { +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json +- check_valgrind_log +- start_isulad_with_valgrind ++ local ret=0 ++ restore_cri_conf "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret + } + + function test_cri_seccomp() +@@ -82,7 +79,7 @@ function test_cri_seccomp() + [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - chmod should fail as it's blocked by seccomp" && ((ret++)) + fi + +- isula rm -f `isula ps -a -q` ++ crictl rmp -f $(crictl pods -q) + + msg_info "${test} finished with return ${ret}..." + return ${ret} +@@ -90,13 +87,20 @@ function test_cri_seccomp() + + declare -i ans=0 + +-do_pre ++for version in ${CRI_LIST[@]}; ++do ++ test="test_cri_test_fun, use cri version => (${version})" ++ msg_info "${test} starting..." ++ ++ do_pre $version || ((ans++)) + +-test_cri_seccomp "default" || ((ans++)) +-test_cri_seccomp "unconfined" || ((ans++)) +-test_cri_seccomp "localhost" || ((ans++)) ++ test_cri_seccomp "default" || ((ans++)) ++ test_cri_seccomp "unconfined" || ((ans++)) ++ test_cri_seccomp "localhost" || ((ans++)) + +-do_post ++ do_post || ((ans++)) ++ msg_info "${test} finished with return ${ans}..." ++done + + show_result ${ans} "${curr_path}/${0}" + +diff --git a/CI/test_cases/critest.sh b/CI/test_cases/critest.sh +index f8d4975e..136594a0 100755 +--- a/CI/test_cases/critest.sh ++++ b/CI/test_cases/critest.sh +@@ -62,8 +62,9 @@ function restore_selinux_environment() { + + function pre_test() { + # build critest +- local VERSION="v1.22.0" ++ local VERSION="v1.25.0" + ++ rm -rf cri-tools + git clone https://gitee.com/duguhaotian/cri-tools.git + go version + cd cri-tools +@@ -75,15 +76,8 @@ function pre_test() { + critest --version + + # config pause +- cp /etc/isulad/daemon.json /etc/isulad/daemon.bak +- sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json +- +- isula load -i ${pause_img_path}/pause.tar +- if [ $? -ne 0 ]; then +- msg_err "Failed to load pause image" +- TC_RET_T=$(($TC_RET_T + 1)) +- return $TC_RET_T +- fi ++ init_cri_conf $1 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} + + # config cni + init_cni_conf $data_path +@@ -107,7 +101,9 @@ function post_test() { + restore_selinux_environment + rm -rf ./cri-tools + rm /usr/local/bin/critest +- cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json ++ ++ restore_cri_conf ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) + + # clear env + isula rm -f `isula ps -qa` +@@ -117,10 +113,8 @@ function post_test() { + do + isula pull ${image} + done +- +- stop_isulad_without_valgrind +- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - memory leak" && return ${FAILURE} +- start_isulad_with_valgrind ++ ++ return ${ret} + } + + function test_critest() { +@@ -158,12 +152,32 @@ function do_test_t() { + return $ret + } + +-declare -i ans=0 ++function do_critest_test_t() ++{ ++ local cri_version=$1 ++ local ret=0 ++ local test="do_critest_test_t => (${cri_version})" ++ msg_info "${test} starting..." ++ ++ pre_test $cri_version || (ret++) + +-pre_test || (ans++) ++ do_test_t || ((ret++)) + +-do_test_t || ((ans++)) ++ post_test || (ret++) + +-post_test || (ans++) ++ msg_info "${test} finished with return ${ret}..." ++ ++ return $ret ++} ++ ++declare -i ans=0 ++ ++for version in ${CRI_LIST[@]}; ++do ++ do_critest_test_t $version ++ if [ $? -ne 0 ];then ++ let "ans=$ans + 1" ++ fi ++done + + show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/helpers.sh b/CI/test_cases/helpers.sh +index 0288b4ea..111058e3 100755 +--- a/CI/test_cases/helpers.sh ++++ b/CI/test_cases/helpers.sh +@@ -31,6 +31,8 @@ RUNTIME_LIST=(lcr runc) + + DEFAULT_RUNTIME=runc + ++CRI_LIST=(v1alpha v1) ++ + testcase_data="/tmp/testcases_data" + + enable_native_network=0 +@@ -321,4 +323,65 @@ function do_pretest() { + msg_info "#####################" + } + ++function init_cri_conf() { ++ local ret=0 ++ check_valgrind_log ++ if [ $? -ne 0 ]; then ++ echo "stop isulad failed" ++ ret=$(($ret+1)) ++ fi ++ ++ cp /etc/isulad/daemon.json /etc/isulad/daemon.bak ++ if [ "x$1" == "xv1" ]; then ++ echo "use cri v1" ++ sed -i '/"pod-sandbox-image": ""/i "enable-cri-v1": true,' /etc/isulad/daemon.json ++ fi ++ sed -i "s#\"pod-sandbox-image\": \"\"#\"pod-sandbox-image\": \"mirrorgooglecontainers/pause-amd64:3.0\"#g" /etc/isulad/daemon.json ++ ++ if [ "x$2" == "xwithout_valgrind" ]; then ++ start_isulad_without_valgrind ++ else ++ echo "start with valgrind" ++ start_isulad_with_valgrind ++ fi ++ if [ $? -ne 0 ]; then ++ echo "start failed" ++ ret=$(($ret+1)) ++ fi ++ ++ isula load -i ${pause_img_path}/pause.tar ++ if [ $? -ne 0 ]; then ++ msg_err "Failed to load pause image" ++ ret=$(($ret + 1)) ++ return $ret ++ fi ++ ++ return $ret ++} ++ ++function restore_cri_conf() { ++ local ret=0 ++ ++ if [ "x$1" == "xwithout_valgrind" ]; then ++ stop_isulad_without_valgrind ++ else ++ echo "stop with valgrind" ++ check_valgrind_log ++ fi ++ if [ $? -ne 0 ]; then ++ echo "stop isulad failed" ++ ret=$(($ret+1)) ++ fi ++ ++ cp /etc/isulad/daemon.bak /etc/isulad/daemon.json ++ ++ start_isulad_with_valgrind ++ if [ $? -ne 0 ]; then ++ echo "start failed" ++ ret=$(($ret+1)) ++ fi ++ ++ return $ret ++} ++ + do_pretest +-- +2.34.1 + diff --git a/0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch b/0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch new file mode 100644 index 0000000..4fa315f --- /dev/null +++ b/0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch @@ -0,0 +1,454 @@ +From 02b51963a37da893cc52a35562dd32f772e9e497 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Fri, 24 Nov 2023 17:36:50 +0800 +Subject: [PATCH 184/198] do check process alive read pid ppid info in runtime + +Signed-off-by: jikai +--- + src/daemon/modules/api/runtime_api.h | 17 ++++++++ + .../container/container_gc/containers_gc.c | 19 +++++++-- + .../modules/container/restore/restore.c | 29 ++++++++++--- + .../modules/container/supervisor/supervisor.c | 17 +++++++- + .../modules/runtime/engines/lcr/lcr_rt_ops.c | 11 +++++ + .../modules/runtime/engines/lcr/lcr_rt_ops.h | 4 ++ + .../modules/runtime/isula/isula_rt_ops.c | 13 +++++- + .../modules/runtime/isula/isula_rt_ops.h | 3 ++ + src/daemon/modules/runtime/runtime.c | 42 +++++++++++++++++++ + src/daemon/modules/runtime/shim/shim_rt_ops.c | 22 ++++++++++ + src/daemon/modules/runtime/shim/shim_rt_ops.h | 3 ++ + .../modules/service/service_container.c | 1 + + 12 files changed, 169 insertions(+), 12 deletions(-) + +diff --git a/src/daemon/modules/api/runtime_api.h b/src/daemon/modules/api/runtime_api.h +index 1f23efe3..b0d70493 100644 +--- a/src/daemon/modules/api/runtime_api.h ++++ b/src/daemon/modules/api/runtime_api.h +@@ -208,6 +208,15 @@ typedef struct _rt_runtime_rebuild_config_params_t { + const char *rootpath; + } rt_rebuild_config_params_t; + ++typedef struct _rt_runtime_read_pid_ppid_info_params_t { ++ int pid; ++} rt_read_pid_ppid_info_params_t; ++ ++typedef struct _rt_runtime_detect_process_params_t { ++ int pid; ++ uint64_t start_time; ++} rt_detect_process_params_t; ++ + struct rt_ops { + /* detect whether runtime is of this runtime type */ + bool (*detect)(const char *runtime); +@@ -245,6 +254,10 @@ struct rt_ops { + int (*rt_resize)(const char *name, const char *runtime, const rt_resize_params_t *params); + int (*rt_exec_resize)(const char *name, const char *runtime, const rt_exec_resize_params_t *params); + int (*rt_rebuild_config)(const char *name, const char *runtime, const rt_rebuild_config_params_t *params); ++ ++ int (*rt_read_pid_ppid_info)(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info); ++ int (*rt_detect_process)(const char *name, const char *runtime, const rt_detect_process_params_t *params); + }; + + int runtime_create(const char *name, const char *runtime, const rt_create_params_t *params); +@@ -269,6 +282,10 @@ int runtime_rebuild_config(const char *name, const char *runtime, const rt_rebui + void free_rt_listpids_out_t(rt_listpids_out_t *out); + int runtime_resize(const char *name, const char *runtime, const rt_resize_params_t *params); + int runtime_exec_resize(const char *name, const char *runtime, const rt_exec_resize_params_t *params); ++ ++int runtime_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info); ++int runtime_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params); + bool is_default_runtime(const char *name); + + int runtime_init(void); +diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c +index 2d16dee8..3f2473d5 100644 +--- a/src/daemon/modules/container/container_gc/containers_gc.c ++++ b/src/daemon/modules/container/container_gc/containers_gc.c +@@ -386,6 +386,7 @@ static void gc_monitor_process(const char *id, pid_t pid, unsigned long long sta + { + INFO("Received garbage collector monitor of %s with pid %d", id, pid); + ++ // for shim-v2, here is a ppid, which is always 0 + if (util_process_alive(pid, start_time)) { + int ret = kill(pid, SIGKILL); + if (ret < 0 && errno != ESRCH) { +@@ -461,14 +462,16 @@ static void gc_container_process(struct linked_list *it) + char *runtime = NULL; + char *id = NULL; + container_garbage_config_gc_containers_element *gc_cont = NULL; ++ rt_detect_process_params_t detect_params = { ++ .pid = gc_cont->pid, ++ .start_time = gc_cont->start_time, ++ }; + + gc_cont = (container_garbage_config_gc_containers_element *)it->elem; + id = gc_cont->id; + runtime = gc_cont->runtime; +- pid = gc_cont->pid; +- start_time = gc_cont->start_time; + +- if (util_process_alive(pid, start_time) == false) { ++ if (runtime_detect_process(id, runtime, &detect_params) < 0) { + ret = clean_container_resource(id, runtime, pid); + if (ret != 0) { + WARN("Failed to clean resources of container %s", id); +@@ -495,7 +498,15 @@ static void gc_container_process(struct linked_list *it) + free(it); + } else { + try_to_resume_container(id, runtime); +- ret = kill(pid, SIGKILL); ++ ++ rt_kill_params_t kill_params = { ++ .signal = SIGKILL, ++ .stop_signal = SIGKILL, ++ .pid = pid, ++ .start_time = start_time, ++ }; ++ ++ ret = runtime_kill(id, runtime, &kill_params); + if (ret < 0 && errno != ESRCH) { + ERROR("Can not kill process (pid=%d) with SIGKILL for container %s", pid, id); + } +diff --git a/src/daemon/modules/container/restore/restore.c b/src/daemon/modules/container/restore/restore.c +index 44ed14df..48a3ae4b 100644 +--- a/src/daemon/modules/container/restore/restore.c ++++ b/src/daemon/modules/container/restore/restore.c +@@ -58,7 +58,12 @@ static int restore_supervisor(const container_t *cont) + char *exit_fifo = NULL; + char *id = cont->common_config->id; + char *statepath = cont->state_path; ++ char *runtime = cont->runtime; + pid_ppid_info_t pid_info = { 0 }; ++ rt_detect_process_params_t params = { ++ .pid = cont->state->state->pid, ++ .start_time = cont->state->state->start_time, ++ }; + + nret = snprintf(container_state, sizeof(container_state), "%s/%s", statepath, id); + if (nret < 0 || (size_t)nret >= sizeof(container_state)) { +@@ -81,7 +86,7 @@ static int restore_supervisor(const container_t *cont) + goto out; + } + +- if (!util_process_alive(cont->state->state->pid, cont->state->state->start_time)) { ++ if (runtime_detect_process(id, runtime, ¶ms) != 0) { + ERROR("Container %s pid %d already dead, skip add supervisor", id, cont->state->state->pid); + close(exit_fifo_fd); + ret = -1; +@@ -112,8 +117,10 @@ static int post_stopped_container_to_gc(const char *id, const char *runtime, con + { + int ret = 0; + pid_ppid_info_t pid_info = { 0 }; ++ rt_read_pid_ppid_info_params_t params = { 0 }; ++ params.pid = old_pid_info->pid; + +- (void)util_read_pid_ppid_info(old_pid_info->pid, &pid_info); ++ (void)runtime_read_pid_ppid_info(id, runtime, ¶ms, &pid_info); + if (pid_info.ppid == 0) { + pid_info.ppid = old_pid_info->ppid; + pid_info.pstart_time = old_pid_info->pstart_time; +@@ -180,9 +187,15 @@ static void restore_stopped_container(Container_Status status, const container_t + pid_ppid_info_t pid_info = { 0 }; + + if (status != CONTAINER_STATUS_STOPPED && status != CONTAINER_STATUS_CREATED) { +- if (util_process_alive(cont->state->state->pid, cont->state->state->start_time)) { ++ rt_detect_process_params_t params = { ++ .pid = cont->state->state->pid, ++ .start_time = cont->state->state->start_time, ++ }; ++ if (runtime_detect_process(id, cont->runtime, ¶ms) == 0) { + pid_info.pid = cont->state->state->pid; ++ pid_info.start_time = cont->state->state->start_time; + } ++ + if (util_process_alive(cont->state->state->p_pid, cont->state->state->p_start_time)) { + pid_info.ppid = cont->state->state->p_pid; + pid_info.pstart_time = cont->state->state->p_start_time; +@@ -204,8 +217,11 @@ static void restore_running_container(Container_Status status, container_t *cont + int nret = 0; + const char *id = cont->common_config->id; + pid_ppid_info_t pid_info = { 0 }; ++ rt_read_pid_ppid_info_params_t params = { ++ .pid = info->pid, ++ }; + +- nret = util_read_pid_ppid_info(info->pid, &pid_info); ++ nret = runtime_read_pid_ppid_info(id, cont->runtime, ¶ms, &pid_info); + if (nret == 0) { + try_to_set_container_running(status, cont, &pid_info); + container_state_reset_has_been_manual_stopped(cont->state); +@@ -234,10 +250,13 @@ static void restore_paused_container(Container_Status status, container_t *cont, + int nret = 0; + const char *id = cont->common_config->id; + pid_ppid_info_t pid_info = { 0 }; ++ rt_read_pid_ppid_info_params_t params = { ++ .pid = info->pid, ++ }; + + container_state_set_paused(cont->state); + +- nret = util_read_pid_ppid_info(info->pid, &pid_info); ++ nret = runtime_read_pid_ppid_info(id, cont->runtime, ¶ms, &pid_info); + if (nret == 0) { + try_to_set_paused_container_pid(status, cont, &pid_info); + container_state_reset_has_been_manual_stopped(cont->state); +diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c +index f77f58d7..b5ff6166 100644 +--- a/src/daemon/modules/container/supervisor/supervisor.c ++++ b/src/daemon/modules/container/supervisor/supervisor.c +@@ -46,6 +46,7 @@ + #include "cgroup.h" + #include "specs_api.h" + #endif ++#include "runtime_api.h" + + pthread_mutex_t g_supervisor_lock = PTHREAD_MUTEX_INITIALIZER; + struct epoll_descr g_supervisor_descr; +@@ -177,6 +178,17 @@ static void *clean_resources_thread(void *arg) + char *runtime = data->runtime; + unsigned long long start_time = data->pid_info.start_time; + pid_t pid = data->pid_info.pid; ++ rt_detect_process_params_t detect_params = { ++ .pid = pid, ++ .start_time = start_time, ++ }; ++ rt_kill_params_t kill_params = { ++ .signal = SIGKILL, ++ .stop_signal = SIGKILL, ++ .pid = pid, ++ .start_time = start_time ++ }; ++ + int retry_count = 0; + int max_retry = 10; + #ifdef ENABLE_CRI_API_V1 +@@ -192,7 +204,7 @@ static void *clean_resources_thread(void *arg) + prctl(PR_SET_NAME, "Clean resource"); + + retry: +- if (false == util_process_alive(pid, start_time)) { ++ if (runtime_detect_process(name, runtime, &detect_params) < 0) { + ret = clean_container_resource(name, runtime, pid); + // clean_container_resource failed, do not log error message, + // just add to gc to retry clean resource. +@@ -200,7 +212,7 @@ retry: + ERROR("Failed to clean resources of container %s", name); + } + } else { +- ret = kill(pid, SIGKILL); ++ ret = runtime_kill(name, runtime, &kill_params); + if (ret < 0 && errno != ESRCH) { + ERROR("Can not kill process (pid=%d) with SIGKILL for container %s", pid, name); + } +@@ -212,6 +224,7 @@ retry: + } + + // get info of init process in container for debug problem of container ++ // but for shim-v2, this might be a misleading debug info + proc_t *c_proc = util_get_process_proc_info(pid); + if (c_proc != NULL) { + ERROR("Container %s into GC with process state: {cmd: %s, state: %c, pid: %d}", name, c_proc->cmd, c_proc->state, +diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +index 64a8adbc..eb3afb94 100644 +--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c ++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +@@ -941,3 +941,14 @@ out: + free_oci_runtime_spec(oci_spec); + return ret; + } ++ ++int rt_lcr_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info) ++{ ++ return util_read_pid_ppid_info(params->pid, pid_info); ++} ++ ++int rt_lcr_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params) ++{ ++ return util_process_alive(params->pid, params->start_time) ? 0 : -1; ++} +diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h +index 7403544d..85ebe6f7 100644 +--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h ++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.h +@@ -48,6 +48,10 @@ int rt_lcr_resize(const char *id, const char *runtime, const rt_resize_params_t + int rt_lcr_exec_resize(const char *id, const char *runtime, const rt_exec_resize_params_t *params); + int rt_lcr_kill(const char *id, const char *runtime, const rt_kill_params_t *params); + int rt_lcr_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params); ++ ++int rt_lcr_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info); ++int rt_lcr_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params); + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c +index 0adb3858..35c09921 100644 +--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c ++++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c +@@ -2173,4 +2173,15 @@ int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *p + int rt_isula_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params) + { + return 0; +-} +\ No newline at end of file ++} ++ ++int rt_isula_read_pid_ppid_info(const char *id, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info) ++{ ++ return util_read_pid_ppid_info(params->pid, pid_info); ++} ++ ++int rt_isula_detect_process(const char *id, const char *runtime, const rt_detect_process_params_t *params) ++{ ++ return util_process_alive(params->pid, params->start_time) ? 0 : -1; ++} +diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.h b/src/daemon/modules/runtime/isula/isula_rt_ops.h +index 1e5e049a..88236a1e 100644 +--- a/src/daemon/modules/runtime/isula/isula_rt_ops.h ++++ b/src/daemon/modules/runtime/isula/isula_rt_ops.h +@@ -48,6 +48,9 @@ int rt_isula_exec_resize(const char *id, const char *runtime, const rt_exec_resi + int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *params); + int rt_isula_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params); + ++int rt_isula_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info); ++int rt_isula_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params); + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/runtime/runtime.c b/src/daemon/modules/runtime/runtime.c +index 43b78bca..7be140dc 100644 +--- a/src/daemon/modules/runtime/runtime.c ++++ b/src/daemon/modules/runtime/runtime.c +@@ -46,6 +46,8 @@ static const struct rt_ops g_lcr_rt_ops = { + .rt_exec_resize = rt_lcr_exec_resize, + .rt_kill = rt_lcr_kill, + .rt_rebuild_config = rt_lcr_rebuild_config, ++ .rt_read_pid_ppid_info = rt_lcr_read_pid_ppid_info, ++ .rt_detect_process = rt_lcr_detect_process, + }; + + static const struct rt_ops g_isula_rt_ops = { +@@ -67,6 +69,8 @@ static const struct rt_ops g_isula_rt_ops = { + .rt_exec_resize = rt_isula_exec_resize, + .rt_kill = rt_isula_kill, + .rt_rebuild_config = rt_isula_rebuild_config, ++ .rt_read_pid_ppid_info = rt_isula_read_pid_ppid_info, ++ .rt_detect_process = rt_isula_detect_process, + }; + + #ifdef ENABLE_SHIM_V2 +@@ -89,6 +93,8 @@ static const struct rt_ops g_shim_rt_ops = { + .rt_exec_resize = rt_shim_exec_resize, + .rt_kill = rt_shim_kill, + .rt_rebuild_config = rt_shim_rebuild_config, ++ .rt_read_pid_ppid_info = rt_shim_read_pid_ppid_info, ++ .rt_detect_process = rt_shim_detect_process, + }; + #endif + +@@ -534,6 +540,42 @@ out: + return ret; + } + ++int runtime_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info) ++{ ++ const struct rt_ops *ops = NULL; ++ ++ if (name == NULL || runtime == NULL || params == NULL) { ++ ERROR("Invalid arguments for runtime exec resize"); ++ return -1; ++ } ++ ++ ops = rt_ops_query(runtime); ++ if (ops == NULL) { ++ ERROR("Failed to get runtime ops"); ++ return -1; ++ } ++ ++ return ops->rt_read_pid_ppid_info(name, runtime, params, pid_info); ++} ++ ++int runtime_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params) ++{ ++ const struct rt_ops *ops = NULL; ++ ++ if (name == NULL || runtime == NULL || params == NULL) { ++ ERROR("Invalid arguments for runtime process alive"); ++ return -1; ++ } ++ ++ ops = rt_ops_query(runtime); ++ if (ops == NULL) { ++ return -1; ++ } ++ ++ return ops->rt_detect_process(name, runtime, params); ++} ++ + bool is_default_runtime(const char *name) + { + const char *runtimes[] = { "lcr", "runc", "kata-runtime" }; +diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c +index 30b5e442..268d66d9 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c ++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c +@@ -847,3 +847,25 @@ int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebui + { + return 0; + } ++ ++int rt_shim_read_pid_ppid_info(const char *name, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info) ++{ ++ if (pid_info == NULL) { ++ ERROR("Invalid input params"); ++ return -1; ++ } ++ ++ pid_info->pid = params->pid; ++ return 0; ++} ++ ++int rt_shim_detect_process(const char *name, const char *runtime, const rt_detect_process_params_t *params) ++{ ++ if (shim_v2_kill(name, NULL, 0, false) != 0) { ++ ERROR("%s: detect process failed", name); ++ return -1; ++ } ++ ++ return 0; ++} +diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.h b/src/daemon/modules/runtime/shim/shim_rt_ops.h +index 2df34f4c..a3968cf5 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_ops.h ++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.h +@@ -64,6 +64,9 @@ bool is_valid_v2_runtime(const char* name); + + int rt_shim_rebuild_config(const char *name, const char *runtime, const rt_rebuild_config_params_t *params); + ++int rt_shim_read_pid_ppid_info(const char *id, const char *runtime, const rt_read_pid_ppid_info_params_t *params, ++ pid_ppid_info_t *pid_info); ++int rt_shim_detect_process(const char *id, const char *runtime, const rt_detect_process_params_t *params); + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 250e8299..dbf56776 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -1513,6 +1513,7 @@ out: + + static int send_signal_to_process(pid_t pid, unsigned long long start_time, uint32_t stop_signal, uint32_t signal) + { ++ // for shim-v2, here is a ppid, which is always 0 + if (util_process_alive(pid, start_time) == false) { + if (signal == stop_signal || signal == SIGKILL) { + WARN("Process %d is not alive", pid); +-- +2.34.1 + diff --git a/0185-sandbox-sandboxer-code-isolation.patch b/0185-sandbox-sandboxer-code-isolation.patch new file mode 100644 index 0000000..c2024ac --- /dev/null +++ b/0185-sandbox-sandboxer-code-isolation.patch @@ -0,0 +1,275 @@ +From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 7 Feb 2025 11:43:21 +0800 +Subject: [PATCH 185/198] sandbox:sandboxer code isolation + +Signed-off-by: liuxu +--- + .../modules/service/service_container.c | 37 ++++++++----------- + src/daemon/sandbox/sandbox.cc | 10 ++++- + src/daemon/sandbox/sandbox.h | 6 ++- + src/daemon/sandbox/sandbox_ops.cc | 2 + + src/daemon/sandbox/sandbox_ops.h | 2 + + .../sandbox/{ => sandboxer}/sandbox_task.cc | 0 + .../sandbox/{ => sandboxer}/sandbox_task.h | 0 + 7 files changed, 33 insertions(+), 24 deletions(-) + rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%) + rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%) + +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 250e8299..18104781 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + oci_runtime_spec *oci_spec = NULL; + rt_create_params_t create_params = { 0 }; + rt_start_params_t start_params = { 0 }; ++#ifdef ENABLE_SANDBOXER ++ int prepare_container_ret = -1; ++#endif + + nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id); + if (nret < 0 || (size_t)nret >= sizeof(bundle)) { +@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + } + #endif + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_prepare_container(cont->common_config, + oci_spec, console_fifos, tty) != 0) { +@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + ret = -1; + goto close_exit_fd; + } ++ prepare_container_ret = 0; + #endif + + create_params.bundle = bundle; +@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + + if (runtime_create(id, runtime, &create_params) != 0) { + ret = -1; +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + + start_params.rootpath = cont->root_path; +@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) { + ERROR("Failed to do post start on runtime start success"); + ret = -1; +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + } else { + // wait monitor cleanup cgroup and processes finished + wait_exit_fifo(id, exit_fifo_fd); +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + goto out; + +-#ifdef ENABLE_CRI_API_V1 +-clean_prepare_container: +- if (cont->common_config->sandbox_info != NULL && +- sandbox_purge_container(cont->common_config) != 0) { +- ERROR("Failed to remove container %s from sandbox", id); ++close_exit_fd: ++#ifdef ENABLE_SANDBOXER ++ if (prepare_container_ret == 0) { ++ if (cont->common_config->sandbox_info != NULL && ++ sandbox_purge_container(cont->common_config) != 0) { ++ ERROR("Failed to remove container %s from sandbox", id); ++ } + } + #endif + +-close_exit_fd: + close(exit_fifo_fd); + clean_resources_on_failure(cont, engine_log_path, loglevel); + +@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart) + } + } + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_purge_container(cont->common_config) != 0) { + ERROR("Failed to remove container %s from sandbox", id); +@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char + goto out; + } + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_prepare_exec(cont->common_config, request->suffix, + process_spec, (const char **)console_fifos, request->tty) != 0) { +@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe + const char *exec_id, uint32_t cc, + int exit_code, int sync_fd, pthread_t thread_id) + { +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_purge_exec(cont->common_config, exec_id) != 0) { + ERROR("Failed to purge container for exec %s", exec_id); +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index d105d71a..d5681d48 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool + } + + LoadNetworkSetting(); ++#ifdef ENABLE_SANDBOXER + LoadSandboxTasks(); ++#endif + + // When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready, + // and the user decides whether to delete the sandbox. +@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs() + ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str()); + } + ++#ifdef ENABLE_SANDBOXER + if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) { +- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str()); ++ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str()); + } ++#endif + } + + void Sandbox::PrepareSandboxDirs(Errors &error) +@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error) + goto out; + } + ++#ifdef ENABLE_SANDBOXER + nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE); + if (nret < 0) { + error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str()); + ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str()); + goto out; + } ++#endif + + umask(mask); + return; +@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) + metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str()); + } + ++#ifdef ENABLE_SANDBOXER + void Sandbox::LoadSandboxTasks() + { + } +@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int + { + return 0; + } ++#endif + + } +\ No newline at end of file +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 58d60ecb..3a7b0736 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -23,6 +23,9 @@ + #include + #include + #include ++#ifdef ENABLE_SANDBOXER ++#include ++#endif + + #include "api_v1.grpc.pb.h" + #include "errors.h" +@@ -30,7 +33,6 @@ + #include "controller_manager.h" + #include "cstruct_wrapper.h" + #include "read_write_lock.h" +-#include "sandbox_task.h" + + namespace sandbox { + +@@ -140,6 +142,7 @@ public: + auto Remove(Errors &error) -> bool; + void Status(runtime::v1::PodSandboxStatus &status); + ++#ifdef ENABLE_SANDBOXER + // for sandbox api update + virtual void LoadSandboxTasks(); + virtual auto PrepareContainer(const char *containerId, const char *baseFs, +@@ -149,6 +152,7 @@ public: + defs_process *processSpec, const char *consoleFifos[]) -> int; + virtual auto PurgeContainer(const char *containerId) -> int; + virtual auto PurgeExec(const char *containerId, const char *execId) -> int; ++#endif + + private: + auto SaveState(Errors &error) -> bool; +diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc +index ae881933..cf88c1bd 100644 +--- a/src/daemon/sandbox/sandbox_ops.cc ++++ b/src/daemon/sandbox/sandbox_ops.cc +@@ -25,6 +25,7 @@ + #include "namespace.h" + #include "utils.h" + ++#ifdef ENABLE_SANDBOXER + static inline bool validate_sandbox_info(const container_sandbox_info *sandbox) + { + return (sandbox != NULL && sandbox->sandboxer != NULL && +@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch + + return sandbox->PurgeExec(config->id, exec_id); + } ++#endif /* ENABLE_SANDBOXER */ + + int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code) + { +diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h +index 8189efd6..e1309313 100644 +--- a/src/daemon/sandbox/sandbox_ops.h ++++ b/src/daemon/sandbox/sandbox_ops.h +@@ -24,6 +24,7 @@ + extern "C" { + #endif + ++#ifdef ENABLE_SANDBOXER + int sandbox_prepare_container(const container_config_v2_common_config *config, + const oci_runtime_spec *oci_spec, + const char *console_fifos[], bool tty); +@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config, + int sandbox_purge_container(const container_config_v2_common_config *config); + + int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id); ++#endif + + int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code); + +diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc +similarity index 100% +rename from src/daemon/sandbox/sandbox_task.cc +rename to src/daemon/sandbox/sandboxer/sandbox_task.cc +diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h +similarity index 100% +rename from src/daemon/sandbox/sandbox_task.h +rename to src/daemon/sandbox/sandboxer/sandbox_task.h +-- +2.34.1 + diff --git a/0186-UT-sandboxer-code-isolation.patch b/0186-UT-sandboxer-code-isolation.patch new file mode 100644 index 0000000..eab9b79 --- /dev/null +++ b/0186-UT-sandboxer-code-isolation.patch @@ -0,0 +1,111 @@ +From 80de8ca6b9bdd56d0e53d73a631fefb2e170b3c3 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 7 Feb 2025 16:51:42 +0800 +Subject: [PATCH 186/198] UT:sandboxer code isolation + +Signed-off-by: liuxu +--- + test/mocks/sandbox_mock.cc | 2 ++ + test/mocks/sandbox_mock.h | 2 ++ + test/mocks/sandboxer_sandbox_mock.cc | 5 ++++- + test/mocks/sandboxer_sandbox_mock.h | 3 +++ + test/sandbox/sandbox/CMakeLists.txt | 1 - + 5 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/test/mocks/sandbox_mock.cc b/test/mocks/sandbox_mock.cc +index cce5a1b6..e14473bb 100644 +--- a/test/mocks/sandbox_mock.cc ++++ b/test/mocks/sandbox_mock.cc +@@ -222,6 +222,7 @@ bool Sandbox::Remove(Errors &error) + return true; + } + ++#ifdef ENABLE_SANDBOXER + void Sandbox::LoadSandboxTasks() {} + + auto Sandbox::PrepareContainer(const char *containerId, const char *baseFs, +@@ -246,5 +247,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int + { + return 0; + } ++#endif + + } +\ No newline at end of file +diff --git a/test/mocks/sandbox_mock.h b/test/mocks/sandbox_mock.h +index 4908bcd9..3c776f69 100644 +--- a/test/mocks/sandbox_mock.h ++++ b/test/mocks/sandbox_mock.h +@@ -59,6 +59,7 @@ public: + MOCK_METHOD1(Remove, bool(Errors &error)); + MOCK_METHOD1(Status, void(runtime::v1::PodSandboxStatus &status)); + ++#ifdef ENABLE_SANDBOXER + MOCK_METHOD0(LoadSandboxTasks, void()); + MOCK_METHOD4(PrepareContainer, int(const char *containerId, const char *baseFs, + const oci_runtime_spec *ociSpec, +@@ -67,6 +68,7 @@ public: + defs_process *processSpec, const char *consoleFifos[])); + MOCK_METHOD1(PurgeContainer, int(const char *containerId)); + MOCK_METHOD2(PurgeExec, int(const char *containerId, const char *execId)); ++#endif + }; + + void MockSandbox_SetMock(MockSandbox *mock); +diff --git a/test/mocks/sandboxer_sandbox_mock.cc b/test/mocks/sandboxer_sandbox_mock.cc +index 6ebe2820..9366c738 100644 +--- a/test/mocks/sandboxer_sandbox_mock.cc ++++ b/test/mocks/sandboxer_sandbox_mock.cc +@@ -13,6 +13,8 @@ + * Description: provide sandbox mock + ******************************************************************************/ + ++#ifdef ENABLE_SANDBOXER ++ + #include + #include "sandboxer_sandbox_mock.h" + +@@ -68,4 +70,5 @@ auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> + return 0; + } + +-} +\ No newline at end of file ++} ++#endif +\ No newline at end of file +diff --git a/test/mocks/sandboxer_sandbox_mock.h b/test/mocks/sandboxer_sandbox_mock.h +index 020fe4d6..69bea078 100644 +--- a/test/mocks/sandboxer_sandbox_mock.h ++++ b/test/mocks/sandboxer_sandbox_mock.h +@@ -16,6 +16,8 @@ + #ifndef _ISULAD_TEST_MOCKS_SANDBOXER_SANDBOX_MOCK_H + #define _ISULAD_TEST_MOCKS_SANDBOXER_SANDBOX_MOCK_H + ++#ifdef ENABLE_SANDBOXER ++ + #include + #include "sandbox_mock.h" + #include "sandboxer_sandbox.h" +@@ -40,5 +42,6 @@ public: + void MockSandboxerSandbox_SetMock(MockSandboxerSandbox *mock); + + } ++#endif + + #endif +diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt +index d033c93f..358633dc 100644 +--- a/test/sandbox/sandbox/CMakeLists.txt ++++ b/test/sandbox/sandbox/CMakeLists.txt +@@ -29,7 +29,6 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/transform.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/cxxutils.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_task.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c +-- +2.34.1 + diff --git a/0187-remove-uncalled-functions-in-cri-v1.patch b/0187-remove-uncalled-functions-in-cri-v1.patch new file mode 100644 index 0000000..c44642f --- /dev/null +++ b/0187-remove-uncalled-functions-in-cri-v1.patch @@ -0,0 +1,517 @@ +From a883b34db2ca8d17261b0a2dd154f12487ddebfa Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 10 Feb 2025 09:37:26 +0800 +Subject: [PATCH 187/198] remove uncalled functions in cri v1 + +Signed-off-by: zhongtao +--- + src/daemon/common/cri/v1/v1_cri_helpers.cc | 67 ------------------- + src/daemon/common/cri/v1/v1_cri_helpers.h | 8 --- + src/daemon/common/cri/v1/v1_naming.cc | 30 --------- + src/daemon/common/cri/v1/v1_naming.h | 3 - + .../v1/v1_cri_container_manager_service.cc | 27 -------- + .../cri/v1/v1_cri_container_manager_service.h | 1 - + .../v1/v1_cri_pod_sandbox_manager_service.cc | 63 ----------------- + .../v1/v1_cri_pod_sandbox_manager_service.h | 7 -- + .../entry/cri/v1alpha/v1alpha_cri_helpers.cc | 21 ------ + .../entry/cri/v1alpha/v1alpha_cri_helpers.h | 3 - + src/daemon/sandbox/controller_manager.cc | 5 -- + src/daemon/sandbox/controller_manager.h | 1 - + src/daemon/sandbox/sandbox.cc | 5 -- + src/daemon/sandbox/sandbox.h | 1 - + src/daemon/sandbox/sandbox_manager.cc | 6 -- + src/daemon/sandbox/sandbox_manager.h | 1 - + 16 files changed, 249 deletions(-) + +diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc +index dfe14ade..d71e3681 100644 +--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc ++++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc +@@ -57,27 +57,6 @@ auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1::Container + } + } + +-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint) +--> std::unique_ptr +-{ +- std::unique_ptr result(new (std::nothrow) runtime::v1::PodSandbox); +- if (result == nullptr) { +- return nullptr; +- } +- runtime::v1::PodSandboxMetadata *metadata = new (std::nothrow) runtime::v1::PodSandboxMetadata; +- if (metadata == nullptr) { +- return nullptr; +- } +- +- metadata->set_name(checkpoint.GetName()); +- metadata->set_namespace_(checkpoint.GetNamespace()); +- result->set_allocated_metadata(metadata); +- result->set_id(id); +- result->set_state(runtime::v1::SANDBOX_NOTREADY); +- +- return result; +-} +- + void UpdateCreateConfig(container_config *createConfig, host_config *hc, + const runtime::v1::ContainerConfig &config, const std::string &podSandboxID, + Errors &error) +@@ -199,24 +178,6 @@ auto GenerateEnvList(const ::google::protobuf::RepeatedPtrField<::runtime::v1::K + return vect; + } + +-auto ValidateCheckpointKey(const std::string &key, Errors &error) -> bool +-{ +- const std::string PATTERN { "^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$" }; +- +- if (key.empty()) { +- goto err_out; +- } +- +- if (key.size() <= CRIHelpers::Constants::MAX_CHECKPOINT_KEY_LEN && +- util_reg_match(PATTERN.c_str(), key.c_str()) == 0) { +- return true; +- } +- +-err_out: +- error.Errorf("invalid key: %s", key.c_str()); +- return false; +-} +- + auto ToIsuladContainerStatus(const runtime::v1::ContainerStateValue &state) -> std::string + { + if (state.state() == runtime::v1::CONTAINER_CREATED) { +@@ -362,34 +323,6 @@ void AddSecurityOptsToHostConfig(std::vector &securityOpts, host_co + } + + } +-void GetContainerSandboxID(const std::string &containerID, std::string &realContainerID, std::string &sandboxID, +- Errors &error) +-{ +- std::string PodID; +- container_inspect *info = CRIHelpers::InspectContainer(containerID, error, false); +- if (error.NotEmpty()) { +- error.Errorf("Failed to inspect container %s: %s", containerID.c_str(), error.GetCMessage()); +- return; +- } +- +- // TODO: Refactor after adding the ability to use sandbox manager for sandboxid query +- if (info->config != nullptr && info->config->labels != nullptr) { +- for (size_t j = 0; j < info->config->labels->len; j++) { +- if (strcmp(info->config->labels->keys[j], CRIHelpers::Constants::SANDBOX_ID_LABEL_KEY.c_str()) == 0 +- && strcmp(info->config->labels->values[j], "") != 0) { +- PodID = info->config->labels->values[j]; +- break; +- } +- } +- } +- +- if (PodID.empty()) { +- error.Errorf("Failed to get sandbox id for container %s", containerID.c_str()); +- } else { +- sandboxID = PodID; +- } +- realContainerID = info->id; +-} + + #ifdef ENABLE_SANDBOXER + std::string CRISandboxerConvert(const std::string &runtime) +diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.h b/src/daemon/common/cri/v1/v1_cri_helpers.h +index 22cffd0d..6a848581 100644 +--- a/src/daemon/common/cri/v1/v1_cri_helpers.h ++++ b/src/daemon/common/cri/v1/v1_cri_helpers.h +@@ -42,9 +42,6 @@ struct commonSecurityContext { + + auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1::ContainerState; + +-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint) +--> std::unique_ptr; +- + void UpdateCreateConfig(container_config *createConfig, host_config *hc, + const runtime::v1::ContainerConfig &config, const std::string &podSandboxID, + Errors &error); +@@ -55,8 +52,6 @@ void GenerateMountBindings(const google::protobuf::RepeatedPtrField &envs) + -> std::vector; + +-auto ValidateCheckpointKey(const std::string &key, Errors &error) -> bool; +- + auto ToIsuladContainerStatus(const runtime::v1::ContainerStateValue &state) -> std::string; + + auto GetSeccompSecurityOpts(const bool hasSeccomp, const ::runtime::v1::SecurityProfile &seccomp, +@@ -72,9 +67,6 @@ auto GetSecurityOpts(const commonSecurityContext &context, const char &separator + + void AddSecurityOptsToHostConfig(std::vector &securityOpts, host_config *hostconfig, Errors &error); + +-void GetContainerSandboxID(const std::string &containerID, std::string &realContainerID, std::string &sandboxID, +- Errors &error); +- + std::string CRISandboxerConvert(const std::string &runtime); + + void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc, +diff --git a/src/daemon/common/cri/v1/v1_naming.cc b/src/daemon/common/cri/v1/v1_naming.cc +index 1a1ebb0d..2a5b972c 100644 +--- a/src/daemon/common/cri/v1/v1_naming.cc ++++ b/src/daemon/common/cri/v1/v1_naming.cc +@@ -44,36 +44,6 @@ std::string MakeSandboxName(const runtime::v1::PodSandboxMetadata &metadata) + return sname; + } + +-void ParseSandboxName(const google::protobuf::Map &annotations, +- runtime::v1::PodSandboxMetadata &metadata, Errors &err) +-{ +- if (annotations.count(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox name, failed to parse it"); +- return; +- } +- +- if (annotations.count(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox namespace, failed to parse it"); +- return; +- } +- +- if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox uid, failed to parse it"); +- return; +- } +- +- if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox attempt, failed to parse it"); +- return; +- } +- +- metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY)); +- metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY)); +- metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY)); +- auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY); +- metadata.set_attempt(static_cast(std::stoul(sandboxAttempt))); +-} +- + std::string MakeContainerName(const runtime::v1::PodSandboxConfig &s, const runtime::v1::ContainerConfig &c) + { + std::string sname; +diff --git a/src/daemon/common/cri/v1/v1_naming.h b/src/daemon/common/cri/v1/v1_naming.h +index d0862077..364f17c9 100644 +--- a/src/daemon/common/cri/v1/v1_naming.h ++++ b/src/daemon/common/cri/v1/v1_naming.h +@@ -26,9 +26,6 @@ std::string MakeSandboxName(const runtime::v1::PodSandboxMetadata &metadata); + std::string MakeContainerName(const runtime::v1::PodSandboxConfig &s, + const runtime::v1::ContainerConfig &c); + +-void ParseSandboxName(const google::protobuf::Map &annotations, +- runtime::v1::PodSandboxMetadata &metadata, Errors &err); +- + void ParseContainerName(const google::protobuf::Map &annotations, + runtime::v1::ContainerMetadata *metadata, Errors &err); + } // namespace CRINamingV1 +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index 1e84d14c..e8dcd699 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -33,33 +33,6 @@ + #endif + + namespace CRIV1 { +-auto ContainerManagerService::GetContainerOrSandboxRuntime(const std::string &realID, Errors &error) -> std::string +-{ +- std::string runtime; +- if (m_cb == nullptr || m_cb->container.get_runtime == nullptr) { +- error.SetError("Unimplemented callback"); +- return runtime; +- } +- container_get_runtime_response *response { nullptr }; +- +- if (m_cb->container.get_runtime(realID.c_str(), &response) != 0) { +- if (response != nullptr && response->errmsg != nullptr) { +- error.SetError(response->errmsg); +- } else { +- error.SetError("Failed to call get id callback"); +- } +- goto cleanup; +- } +- +- if (response->runtime != nullptr) { +- runtime = response->runtime; +- } +- +-cleanup: +- free_container_get_runtime_response(response); +- return runtime; +-} +- + auto ContainerManagerService::PackCreateContainerHostConfigDevices( + const runtime::v1::ContainerConfig &containerConfig, host_config *hostconfig, Errors &error) -> int + { +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +index 50f5ed69..1153b79c 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +@@ -73,7 +73,6 @@ public: + void Attach(const runtime::v1::AttachRequest &req, runtime::v1::AttachResponse *resp, Errors &error); + + private: +- auto GetContainerOrSandboxRuntime(const std::string &realID, Errors &error) -> std::string; + auto GenerateCreateContainerRequest(sandbox::Sandbox &sandbox, + const runtime::v1::ContainerConfig &containerConfig, + const runtime::v1::PodSandboxConfig &podSandboxConfig, +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index a5f98619..43705853 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -491,17 +491,6 @@ void PodSandboxManagerService::ClearCniNetwork(const std::shared_ptr std::string +-{ +- if (inspect_data == nullptr || inspect_data->network_settings == nullptr || +- inspect_data->network_settings->sandbox_key == nullptr) { +- ERROR("Inspect data does not have network settings"); +- return std::string(""); +- } +- +- return std::string(inspect_data->network_settings->sandbox_key); +-} +- + auto PodSandboxManagerService::GetContainerListResponse(const std::string &readSandboxID, + std::vector &errors) -> std::unique_ptr> + { +@@ -589,21 +578,6 @@ auto PodSandboxManagerService::StopAllContainersInSandbox(const std::string &rea + return ret; + } + +-auto PodSandboxManagerService::GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool +-{ +- std::lock_guard lockGuard(m_networkReadyLock); +- +- bool ready { false }; +- auto iter = m_networkReady.find(podSandboxID); +- if (iter != m_networkReady.end()) { +- ready = iter->second; +- } else { +- error.Errorf("Do not find network: %s", podSandboxID.c_str()); +- } +- +- return ready; +-} +- + void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, Errors &error) + { + if (m_cb == nullptr || m_cb->container.stop == nullptr) { +@@ -674,16 +648,6 @@ void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::string &r + } + } + +-void PodSandboxManagerService::ClearNetworkReady(const std::string &podSandboxID) +-{ +- std::lock_guard lockGuard(m_networkReadyLock); +- +- auto iter = m_networkReady.find(podSandboxID); +- if (iter != m_networkReady.end()) { +- m_networkReady.erase(iter); +- } +-} +- + void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID, Errors &error) + { + std::vector errors; +@@ -766,33 +730,6 @@ void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID, + #endif + } + +-auto PodSandboxManagerService::SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode +-{ +- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->network_mode != nullptr) && +- std::string(inspect->host_config->network_mode) == CRI::Constants::namespaceModeHost) { +- return runtime::v1::NamespaceMode::NODE; +- } +- return runtime::v1::NamespaceMode::POD; +-} +- +-auto PodSandboxManagerService::SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode +-{ +- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->pid_mode != nullptr) && +- std::string(inspect->host_config->pid_mode) == CRI::Constants::namespaceModeHost) { +- return runtime::v1::NamespaceMode::NODE; +- } +- return runtime::v1::NamespaceMode::CONTAINER; +-} +- +-auto PodSandboxManagerService::SharesHostIpc(const container_inspect *inspect) -> runtime::v1::NamespaceMode +-{ +- if (inspect != nullptr && inspect->host_config != nullptr && (inspect->host_config->ipc_mode != nullptr) && +- std::string(inspect->host_config->ipc_mode) == CRI::Constants::namespaceModeHost) { +- return runtime::v1::NamespaceMode::NODE; +- } +- return runtime::v1::NamespaceMode::POD; +-} +- + void PodSandboxManagerService::GetIPs(std::shared_ptr sandbox, std::vector &ips) + { + const auto id = sandbox->GetId(); +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +index d5c0cf91..b02216c0 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +@@ -93,12 +93,7 @@ private: + auto GetContainerListResponse(const std::string &readSandboxID, + std::vector &errors) -> std::unique_ptr>; + auto StopAllContainersInSandbox(const std::string &readSandboxID, Errors &error) -> int; +- auto GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool; + void RemoveAllContainersInSandbox(const std::string &readSandboxID, std::vector &errors); +- void ClearNetworkReady(const std::string &podSandboxID); +- auto SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode; +- auto SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode; +- auto SharesHostIpc(const container_inspect *inspect) -> runtime::v1::NamespaceMode; + void SetSandboxStatusNetwork(std::shared_ptr sandbox, + std::unique_ptr &podStatus); + void GetIPs(std::shared_ptr sandbox, std::vector &ips); +@@ -108,7 +103,6 @@ private: + auto GetAvailableBytes(const uint64_t &memoryLimit, const uint64_t &workingSetBytes) -> uint64_t; + void GetPodSandboxCgroupMetrics(const std::string &cgroupParent, cgroup_metrics_t &cgroupMetrics, + Errors &error); +- auto GetSandboxKey(const container_inspect *inspect_data) -> std::string; + void GetPodSandboxNetworkMetrics(const std::string &netnsPath, + std::map &annotations, + std::vector &netMetrics, Errors &error); +@@ -138,7 +132,6 @@ private: + private: + std::string m_podSandboxImage; + std::mutex m_networkReadyLock; +- std::map m_networkReady; + service_executor_t *m_cb { nullptr }; + std::shared_ptr m_pluginManager { nullptr }; + bool m_enablePodEvents; +diff --git a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc +index 0afea06a..3974add5 100644 +--- a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc ++++ b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.cc +@@ -53,27 +53,6 @@ auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1alpha2::Con + } + } + +-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint) +--> std::unique_ptr +-{ +- std::unique_ptr result(new (std::nothrow) runtime::v1alpha2::PodSandbox); +- if (result == nullptr) { +- return nullptr; +- } +- runtime::v1alpha2::PodSandboxMetadata *metadata = new (std::nothrow) runtime::v1alpha2::PodSandboxMetadata; +- if (metadata == nullptr) { +- return nullptr; +- } +- +- metadata->set_name(checkpoint.GetName()); +- metadata->set_namespace_(checkpoint.GetNamespace()); +- result->set_allocated_metadata(metadata); +- result->set_id(id); +- result->set_state(runtime::v1alpha2::SANDBOX_NOTREADY); +- +- return result; +-} +- + void UpdateCreateConfig(container_config *createConfig, host_config *hc, + const runtime::v1alpha2::ContainerConfig &config, const std::string &podSandboxID, + Errors &error) +diff --git a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h +index 6bca8169..f3331421 100644 +--- a/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h ++++ b/src/daemon/entry/cri/v1alpha/v1alpha_cri_helpers.h +@@ -40,9 +40,6 @@ struct commonSecurityContext { + + auto ContainerStatusToRuntime(Container_Status status) -> runtime::v1alpha2::ContainerState; + +-auto CheckpointToSandbox(const std::string &id, const CRI::PodSandboxCheckpoint &checkpoint) +--> std::unique_ptr; +- + void UpdateCreateConfig(container_config *createConfig, host_config *hc, + const runtime::v1alpha2::ContainerConfig &config, const std::string &podSandboxID, + Errors &error); +diff --git a/src/daemon/sandbox/controller_manager.cc b/src/daemon/sandbox/controller_manager.cc +index 947f2d19..ae01fefe 100644 +--- a/src/daemon/sandbox/controller_manager.cc ++++ b/src/daemon/sandbox/controller_manager.cc +@@ -55,11 +55,6 @@ bool ControllerManager::Init(Errors &error) + return true; + } + +-bool ControllerManager::Cleanup(Errors &error) +-{ +- return true; +-} +- + auto ControllerManager::RegisterShimController(Errors &error) -> bool + { + if (m_controllers.find(SHIM_CONTROLLER_NAME) != m_controllers.end()) { +diff --git a/src/daemon/sandbox/controller_manager.h b/src/daemon/sandbox/controller_manager.h +index 3fd547cf..c8febffb 100644 +--- a/src/daemon/sandbox/controller_manager.h ++++ b/src/daemon/sandbox/controller_manager.h +@@ -27,7 +27,6 @@ public: + static auto GetInstance() -> ControllerManager*; + + auto Init(Errors &error) -> bool; +- auto Cleanup(Errors &error) -> bool; + auto GetController(const std::string &name) -> std::shared_ptr; + private: + auto RegisterShimController(Errors &error) -> bool; +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index d105d71a..0ddbb9ce 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -210,11 +210,6 @@ auto Sandbox::GetPid() -> uint32_t + return m_state.pid; + } + +-auto Sandbox::GetImage() -> const std::string & +-{ +- return m_image; +-} +- + void Sandbox::DoUpdateExitedStatus(const ControllerExitInfo &exitInfo) + { + WriteGuard lock(m_stateMutex); +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 58d60ecb..aa9071ac 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -106,7 +106,6 @@ public: + auto GetCreatedAt() -> uint64_t; + auto GetPid() -> uint32_t; + auto GetTaskAddress() const -> const std::string &; +- auto GetImage() -> const std::string &; + void SetNetMode(const std::string &mode); + void SetController(std::shared_ptr controller); + void AddAnnotations(const std::string &key, const std::string &value); +diff --git a/src/daemon/sandbox/sandbox_manager.cc b/src/daemon/sandbox/sandbox_manager.cc +index a7908a60..d884902d 100644 +--- a/src/daemon/sandbox/sandbox_manager.cc ++++ b/src/daemon/sandbox/sandbox_manager.cc +@@ -405,12 +405,6 @@ auto SandboxManager::NameIndexGet(const std::string &name) -> std::string + return std::string(); + } + +-auto SandboxManager::NameIndexGetAll(void) -> std::map +-{ +- ReadGuard lock(m_indexRWMutex); +- return m_nameIndexMap; +-} +- + auto SandboxManager::GetSandboxRootpath() -> std::string + { + __isula_auto_free char *root_path = NULL; +diff --git a/src/daemon/sandbox/sandbox_manager.h b/src/daemon/sandbox/sandbox_manager.h +index b6007ad8..a5fb702f 100644 +--- a/src/daemon/sandbox/sandbox_manager.h ++++ b/src/daemon/sandbox/sandbox_manager.h +@@ -62,7 +62,6 @@ private: + void NameIndexAdd(const std::string &name, const std::string &id); + void NameIndexRemove(const std::string &name); + auto NameIndexGet(const std::string &name) -> std::string; +- auto NameIndexGetAll(void) -> std::map; + + auto IDNameManagerRemoveEntry(const std::string &id, const std::string &name) -> bool; + auto IDNameManagerNewEntry(std::string &id, const std::string &name) -> bool; +-- +2.34.1 + diff --git a/0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch b/0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch new file mode 100644 index 0000000..c1ca215 --- /dev/null +++ b/0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch @@ -0,0 +1,71 @@ +From 012553d4c53bd8d1c73d22c18fd24bf441041d54 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 8 Feb 2025 11:34:59 +0800 +Subject: [PATCH 188/198] [sandbox] fix memory leak in fill sandbox metadate + +Signed-off-by: zhongtao +--- + src/daemon/sandbox/sandbox.cc | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index 12693445..e2f42237 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -890,20 +890,24 @@ auto Sandbox::GenerateSandboxMetadataJson(sandbox_metadata *metadata) -> std::st + + auto Sandbox::SaveMetadata(Errors &error) -> bool + { +- sandbox_metadata_runtime_info info = { 0 }; +- sandbox_metadata metadata = { 0 }; + int nret = -1; + const std::string path = GetMetadataJsonPath(); + std::string metadataJson; + +- metadata.runtime_info = &info; ++ sandbox_metadata *metadata = static_cast(util_common_calloc_s(sizeof(sandbox_metadata))); ++ if (metadata == nullptr) { ++ error.SetError("Out of memory"); ++ return false; ++ } ++ ++ auto metadataWarpper = std::unique_ptr>(new CStructWrapper(metadata, free_sandbox_metadata)); + +- FillSandboxMetadata(&metadata, error); ++ FillSandboxMetadata(metadata, error); + if (!error.Empty()) { + return false; + } + +- metadataJson = GenerateSandboxMetadataJson(&metadata); ++ metadataJson = GenerateSandboxMetadataJson(metadata); + if (metadataJson.length() == 0) { + error.Errorf("Failed to get sandbox metadata json for sandbox: '%s'", m_id.c_str()); + return false; +@@ -1102,11 +1106,23 @@ auto Sandbox::GetNetworkSettingsPath() -> std::string + void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) + { + std::string jsonStr; ++ sandbox_metadata_runtime_info *info = nullptr; ++ + metadata->id = util_strdup_s(m_id.c_str()); + metadata->name = util_strdup_s(m_name.c_str()); ++ ++ info = static_cast(util_common_calloc_s(sizeof(sandbox_metadata_runtime_info))); ++ if (info == NULL) { ++ error.SetError("Out of memory"); ++ ERROR("Out of memory"); ++ return; ++ } ++ ++ metadata->runtime_info = info; + metadata->runtime_info->runtime = util_strdup_s(m_runtimeInfo.runtime.c_str()); + metadata->runtime_info->sandboxer = util_strdup_s(m_runtimeInfo.sandboxer.c_str()); + metadata->runtime_info->runtime_handler = util_strdup_s(m_runtimeInfo.runtimeHandler.c_str()); ++ + metadata->net_mode = util_strdup_s(m_netMode.c_str()); + metadata->network_ready = m_networkReady; + metadata->task_address = util_strdup_s(m_taskAddress.c_str()); +-- +2.34.1 + diff --git a/0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch b/0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch new file mode 100644 index 0000000..f65c078 --- /dev/null +++ b/0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch @@ -0,0 +1,44 @@ +From 317b853a0d70bab56d2c0f814e6d1c4203a48c5f Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Thu, 16 Jan 2025 01:16:42 +1400 +Subject: [PATCH 189/198] add sandbox pid init and verify sandbox ready when + create container + +Signed-off-by: zhongtao +--- + src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc | 6 ++++++ + src/daemon/sandbox/sandbox.cc | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index e8dcd699..abf60c0c 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -483,6 +483,12 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb + return response_id; + } + ++ // verify whether the sandbox is ready ++ if (!sandbox->IsReady()) { ++ error.Errorf("Failed to generate sandbox_info because the sandbox %s is not ready", sandbox->GetId().c_str()); ++ return nullptr; ++ } ++ + #ifdef ENABLE_NRI + Errors nriErr; + nri_container_adjustment *adjust = NULL; +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index e2f42237..b97c0bc6 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -100,6 +100,7 @@ Sandbox::Sandbox(const std::string id, const std::string &rootdir, const std::st + const uint64_t defaultCreatedAt { 1 }; + m_state.createdAt = defaultCreatedAt; + m_image = image; ++ m_state.pid = -1; + } + + auto Sandbox::IsReady() -> bool +-- +2.34.1 + diff --git a/0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch b/0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch new file mode 100644 index 0000000..084b8b2 --- /dev/null +++ b/0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch @@ -0,0 +1,399 @@ +From 1d42d850b71e3a0e269f268411999c265a1a8f5b Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 10 Feb 2025 10:44:01 +0800 +Subject: [PATCH 190/198] modified the procedure of start pod and set up + network in cri v1 + +Signed-off-by: zhongtao +--- + .../v1/v1_cri_pod_sandbox_manager_service.cc | 276 +++++++++++++----- + .../v1/v1_cri_pod_sandbox_manager_service.h | 3 + + 2 files changed, 206 insertions(+), 73 deletions(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 43705853..62464acd 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + #include "checkpoint_handler.h" +@@ -273,12 +274,6 @@ void PodSandboxManagerService::SetupSandboxNetwork(const std::shared_ptr networkOptions; + networkOptions["UID"] = config.metadata().uid(); + +- if (prepare_network_namespace(sandboxKey.c_str(), false, 0) != 0) { +- error.Errorf("Failed to prepare network namespace: %s", sandboxKey.c_str()); +- ERROR("Failed to prepare network namespace: %s", sandboxKey.c_str()); +- return; +- } +- + // Setup networking for the sandbox. + m_pluginManager->SetUpPod(config.metadata().namespace_(), config.metadata().name(), + Network::DEFAULT_NETWORK_INTERFACE_NAME, sandbox->GetId(), stdAnnos, networkOptions, +@@ -295,85 +290,137 @@ void PodSandboxManagerService::SetupSandboxNetwork(const std::shared_ptrGetId().c_str()); + } + +-auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config, +- const std::string &runtimeHandler, Errors &error) -> std::string ++void PodSandboxManagerService::GenerateNetworkSetting(std::string &sandboxKey, std::string &network_setting_json, Errors &error) ++{ ++ container_network_settings *settings = NULL; ++ __isula_auto_free char *jerr = NULL; ++ __isula_auto_free char *setting_json { nullptr }; ++ ++ settings = (container_network_settings *)util_common_calloc_s(sizeof(container_network_settings)); ++ if (settings == NULL) { ++ ERROR("Out of memory"); ++ error.Errorf("Out of memory"); ++ return; ++ } ++ ++ auto settingsWarpper = std::unique_ptr>(new CStructWrapper(settings, free_container_network_settings)); ++ ++ settings->sandbox_key = util_strdup_s(sandboxKey.c_str()); ++ if (settings->sandbox_key == NULL) { ++ ERROR("Failed to set sandbox key for network setting"); ++ error.Errorf("Failed to set sandbox key for network setting"); ++ return; ++ } ++ ++ setting_json = container_network_settings_generate_json(settings, nullptr, &jerr); ++ if (setting_json == nullptr) { ++ error.Errorf("Get network settings json err:%s", jerr); ++ } ++ ++ network_setting_json = std::string(setting_json); ++} ++ ++void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptr sandbox, std::string &sandboxKey, std::string &sandboxName, std::string &networkMode, Errors &error) + { +- std::string response_id; +- std::string sandboxName; +- sandbox::RuntimeInfo runtimeInfo; +- std::string networkMode; +- std::string sandboxKey; +- std::string jsonCheckpoint; +- std::string network_setting_json; +- runtime::v1::PodSandboxConfig copyConfig = config; + cri_container_message_t msg = { 0 }; +-#ifdef ENABLE_NRI +- Errors nriErr; +-#endif ++ std::string network_setting_json; + +- // Step 1: Parepare sandbox name, runtime and networkMode +- PrepareSandboxData(config, runtimeHandler, sandboxName, runtimeInfo, networkMode, error); ++ // Step 7.2.1: Call sandbox create. ++ sandbox->Create(error); + if (error.NotEmpty()) { +- return response_id; ++ ERROR("Failed to create sandbox: %s", sandboxName.c_str()); ++ return; + } + +- // Step 2: Pull the image for the sandbox. +- // Maybe we should pull image in shim controller ? +- // But pull image interface is only in CRI image service, and it can't be called in shim controller, +- // so we pull image in CRI pod service. +- const std::string &image = m_podSandboxImage; +- if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) { +- ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); +- error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); +- return response_id; ++ msg.container_id = sandbox->GetId().c_str(); ++ msg.sandbox_id = sandbox->GetId().c_str(); ++ msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED; ++ mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg); ++ ++ // Step 7.2.2: Save network settings json to disk ++ // Update network settings before start sandbox since sandbox container will use the sandbox key ++ if (namespace_is_cni(networkMode.c_str())) { ++ GenerateNetworkSetting(sandboxKey, network_setting_json, error); ++ // If saving network settings failed, ignore error ++ if (error.NotEmpty()) { ++ ERROR("Failed to generate networksetting :%s", error.GetCMessage()); ++ return; ++ } ++ ++ sandbox->UpdateNetworkSettings(network_setting_json, error); ++ // If saving network settings failed, ignore error ++ if (error.NotEmpty()) { ++ ERROR("%s", error.GetCMessage()); ++ return; ++ } + } + +- // Step 3: Prepare sandbox checkpoint +- PrepareSandboxCheckpoint(config, jsonCheckpoint, error); ++ // Step 7.2.3: Call sandbox start. ++ sandbox->Start(error); + if (error.NotEmpty()) { +- return response_id; ++ ERROR("Failed to start sandbox: %s", sandboxName.c_str()); ++ return; + } + +- // Step 4: Update sandbox instance config +- UpdateSandboxConfig(copyConfig, jsonCheckpoint, error); ++ // Step 7.2.4:Setup networking for the sandbox. ++ SetupSandboxNetwork(sandbox, network_setting_json, error); + if (error.NotEmpty()) { +- return response_id; ++ goto stop_sandbox; + } + +- // Step 5: Prepare sandboxKey ++ // Step 7.2.5:update Network settings after setup network to update ip info. + if (namespace_is_cni(networkMode.c_str())) { +- // cleanup sandboxKey file in DeleteSandbox +- PrepareSandboxKey(sandboxKey, error); +- if (error.NotEmpty()) { +- return response_id; ++ Errors tmpErr; ++ sandbox->UpdateNetworkSettings(network_setting_json, tmpErr); ++ // If saving network settings failed, ignore error ++ if (tmpErr.NotEmpty()) { ++ WARN("%s", tmpErr.GetCMessage()); + } + } + +- // Step 6: Create sandbox instance +- auto sandbox = sandbox::SandboxManager::GetInstance()->CreateSandbox(sandboxName, runtimeInfo, sandboxKey, +- networkMode, copyConfig, image, error); ++ // Step 7.2.6: Save sandbox to disk ++ sandbox->Save(error); + if (error.NotEmpty()) { +- if (namespace_is_cni(networkMode.c_str())) { +- (void)remove_network_namespace_file(sandboxKey.c_str()); ++ ERROR("Failed to save sandbox, %s", sandboxName.c_str()); ++ goto cleanup_network; ++ } ++ return; ++ ++cleanup_network: ++ if (namespace_is_cni(sandbox->GetNetMode().c_str())) { ++ Errors clearErr; ++ ClearCniNetwork(sandbox, clearErr); ++ if (clearErr.NotEmpty()) { ++ ERROR("Failed to clean cni network: %s", clearErr.GetCMessage()); + } +- return response_id; + } + +- // Step 7: Setup networking for the sandbox. ++stop_sandbox: ++ Errors stopError; ++ CRIHelpers::StopContainerHelper(m_cb, sandbox->GetId(), 0, stopError); ++ WARN("Error stop container: %s: %s", sandbox->GetId().c_str(), stopError.GetCMessage()); ++} ++ ++void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr sandbox, std::string &sandboxName, std::string &networkMode, Errors &error) ++{ ++ cri_container_message_t msg = { 0 }; ++ std::string network_setting_json; ++ ++ // Step 7.1.1: Setup networking for the sandbox. + // Setup sandbox network before create sandbox since the remote create might fail for sandbox + SetupSandboxNetwork(sandbox, network_setting_json, error); + if (error.NotEmpty()) { +- goto cleanup_sandbox; ++ return; + } + +- // Step 8: Save sandbox to disk ++ // Step 7.1.2: Save sandbox to disk + sandbox->Save(error); + if (error.NotEmpty()) { + ERROR("Failed to save sandbox, %s", sandboxName.c_str()); + goto cleanup_network; + } + +- // Step 9: Call sandbox create. ++ // Step 7.1.3: Call sandbox create. + sandbox->Create(error); + if (error.NotEmpty()) { + ERROR("Failed to create sandbox: %s", sandboxName.c_str()); +@@ -385,7 +432,7 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig + msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED; + mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg); + +- // Step 10: Save network settings json to disk ++ // Step 7.1.4: Save network settings json to disk + // Update network settings before start sandbox since sandbox container will use the sandbox key + if (namespace_is_cni(networkMode.c_str())) { + Errors tmpErr; +@@ -396,26 +443,15 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig + } + } + +- // Step 11: Call sandbox start. ++ // Step 7.1.5: Call sandbox start. + sandbox->Start(error); + if (error.NotEmpty()) { + ERROR("Failed to start sandbox: %s", sandboxName.c_str()); +- // If start failed, sandbox should be NotReady, we cleanup network and delete sandbox in remove +- return response_id; +- } +- +- msg.type = CRI_CONTAINER_MESSAGE_TYPE_STARTED; +- mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg); +- +-#ifdef ENABLE_NRI +- if (!NRIAdaptation::GetInstance()->RunPodSandbox(sandbox, nriErr)) { +- ERROR("NRI RunPodSandbox failed: %s", nriErr.GetCMessage()); +- error.Errorf("NRI RunPodSandbox failed: %s", nriErr.GetCMessage()); +- return response_id; ++ // If start failed, sandbox should be NotReady, we cleanup network, but delete sandbox in remove ++ goto cleanup_network; + } +-#endif + +- return sandbox->GetId(); ++ return; + + cleanup_network: + if (namespace_is_cni(sandbox->GetNetMode().c_str())) { +@@ -423,21 +459,115 @@ cleanup_network: + ClearCniNetwork(sandbox, clearErr); + if (clearErr.NotEmpty()) { + ERROR("Failed to clean cni network: %s", clearErr.GetCMessage()); ++ return; ++ } ++ } ++} ++ ++auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config, ++ const std::string &runtimeHandler, Errors &error) -> std::string ++{ ++ std::string response_id; ++ std::string sandboxName; ++ sandbox::RuntimeInfo runtimeInfo; ++ std::string networkMode; ++ std::string sandboxKey; ++ std::string jsonCheckpoint; ++ runtime::v1::PodSandboxConfig copyConfig = config; ++ std::map stdAnnos; ++ cri_container_message_t msg = { 0 }; ++ std::shared_ptr sandbox; ++#ifdef ENABLE_NRI ++ Errors nriErr; ++#endif ++ ++ // Step 1: Parepare sandbox name, runtime and networkMode ++ PrepareSandboxData(config, runtimeHandler, sandboxName, runtimeInfo, networkMode, error); ++ if (error.NotEmpty()) { ++ return response_id; ++ } ++ ++ // Step 2: Pull the image for the sandbox. ++ // Maybe we should pull image in shim controller ? ++ // But pull image interface is only in CRI image service, and it can't be called in shim controller, ++ // so we pull image in CRI pod service. ++ const std::string &image = m_podSandboxImage; ++ if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) { ++ ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); ++ error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); ++ return response_id; ++ } ++ ++ // Step 3: Prepare sandbox checkpoint ++ PrepareSandboxCheckpoint(config, jsonCheckpoint, error); ++ if (error.NotEmpty()) { ++ return response_id; ++ } ++ ++ // Step 4: Update sandbox instance config ++ UpdateSandboxConfig(copyConfig, jsonCheckpoint, error); ++ if (error.NotEmpty()) { ++ return response_id; ++ } ++ ++ // Step 5: Prepare sandboxKey and mount ns namespace ++ if (namespace_is_cni(networkMode.c_str())) { ++ // cleanup sandboxKey file in DeleteSandbox ++ PrepareSandboxKey(sandboxKey, error); ++ if (error.NotEmpty()) { + return response_id; + } ++ if (prepare_network_namespace(sandboxKey.c_str(), false, 0) != 0) { ++ error.Errorf("Failed to prepare network namespace: %s", sandboxKey.c_str()); ++ ERROR("Failed to prepare network namespace: %s", sandboxKey.c_str()); ++ goto clean_ns; ++ } + } + +-cleanup_sandbox: +- sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error); ++ // Step 6: Create sandbox instance ++ sandbox = sandbox::SandboxManager::GetInstance()->CreateSandbox(sandboxName, runtimeInfo, sandboxKey, ++ networkMode, copyConfig, image, error); ++ if (error.NotEmpty()) { ++ goto clean_ns; ++ } ++ ++ CRIHelpers::ProtobufAnnoMapToStd(sandbox->GetSandboxConfig().annotations(), stdAnnos); ++ // Step 7: According to the annotation and network namespace mode, ++ // determine the order of start sandbox and setup network. ++ // tips: clean sandbox and network in sub function. ++ if (CRIHelpers::SetupNetworkFirst(stdAnnos)) { ++ // Step 7.1: Setup networking for the sandbox, and then start the sandbox container. ++ SetupNetowrkAndStartPodSandbox(sandbox, sandboxName, networkMode, error); ++ } else { ++ // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox. ++ // why: Some kata multi-network plane plugins (such as configuring vfio device pass-through) ++ // need to be called after the pod is already running. ++ StartPodSandboxAndSetupNetowrk(sandbox, sandboxKey, sandboxName, networkMode, error); ++ } + if (error.NotEmpty()) { +- ERROR("Failed to delete sandbox: %s", sandbox->GetId().c_str()); ++ goto clean_ns; + } ++ ++ msg.type = CRI_CONTAINER_MESSAGE_TYPE_STARTED; ++ mailbox_publish(MAILBOX_TOPIC_CRI_CONTAINER, &msg); ++ + #ifdef ENABLE_NRI +- if (!NRIAdaptation::GetInstance()->RemovePodSandbox(sandbox, nriErr)) { +- DEBUG("NRI RemovePodSandbox failed: %s", nriErr.GetCMessage()); ++ if (!NRIAdaptation::GetInstance()->RunPodSandbox(sandbox, nriErr)) { ++ ERROR("NRI RunPodSandbox failed: %s", nriErr.GetCMessage()); ++ error.Errorf("NRI RunPodSandbox failed: %s", nriErr.GetCMessage()); ++ return response_id; + } + #endif + ++ return sandbox->GetId(); ++clean_ns: ++ if (namespace_is_cni(networkMode.c_str())) { ++ // umount netns when prepare runp failed ++ if (remove_network_namespace(sandboxKey.c_str()) != 0) { ++ SYSERROR("Failed to umount directory %s", sandboxKey.c_str()); ++ } ++ (void)remove_network_namespace_file(sandboxKey.c_str()); ++ } + return response_id; + } + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +index b02216c0..01d06624 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +@@ -86,6 +86,9 @@ private: + void UpdateSandboxConfig(runtime::v1::PodSandboxConfig &config, std::string &jsonCheckpoint, Errors &error); + void SetupSandboxFiles(const std::string &resolvPath, const runtime::v1::PodSandboxConfig &config, + Errors &error); ++ void GenerateNetworkSetting(std::string &sandboxKey, std::string &network_setting_json, Errors &error); ++ void StartPodSandboxAndSetupNetowrk(std::shared_ptr sandbox, std::string &sandboxKey, std::string &sandboxName, std::string &networkMode, Errors &error); ++ void SetupNetowrkAndStartPodSandbox(std::shared_ptr sandbox, std::string &sandboxName, std::string &networkMode, Errors &error); + void SetupSandboxNetwork(const std::shared_ptr sandbox, std::string &network_settings_json, + Errors &error); + void ClearCniNetwork(const std::shared_ptr sandbox, Errors &error); +-- +2.34.1 + diff --git a/0191-bugfix-dereference-null-pointer.patch b/0191-bugfix-dereference-null-pointer.patch new file mode 100644 index 0000000..41bbb56 --- /dev/null +++ b/0191-bugfix-dereference-null-pointer.patch @@ -0,0 +1,36 @@ +From 2861c3105e1605c0a0b037558b0ccf54c9780678 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Tue, 11 Feb 2025 11:08:31 +0800 +Subject: [PATCH 191/198] bugfix:dereference null pointer + +Signed-off-by: liuxu +--- + src/daemon/modules/container/container_gc/containers_gc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c +index 3f2473d5..5dd299dc 100644 +--- a/src/daemon/modules/container/container_gc/containers_gc.c ++++ b/src/daemon/modules/container/container_gc/containers_gc.c +@@ -461,15 +461,16 @@ static void gc_container_process(struct linked_list *it) + unsigned long long start_time = 0; + char *runtime = NULL; + char *id = NULL; +- container_garbage_config_gc_containers_element *gc_cont = NULL; ++ container_garbage_config_gc_containers_element *gc_cont = (container_garbage_config_gc_containers_element *)it->elem; + rt_detect_process_params_t detect_params = { + .pid = gc_cont->pid, + .start_time = gc_cont->start_time, + }; + +- gc_cont = (container_garbage_config_gc_containers_element *)it->elem; + id = gc_cont->id; + runtime = gc_cont->runtime; ++ pid = gc_cont->pid; ++ start_time = gc_cont->start_time; + + if (runtime_detect_process(id, runtime, &detect_params) < 0) { + ret = clean_container_resource(id, runtime, pid); +-- +2.34.1 + diff --git a/0192-modify-save-step-in-run-sandbox.patch b/0192-modify-save-step-in-run-sandbox.patch new file mode 100644 index 0000000..b975c5b --- /dev/null +++ b/0192-modify-save-step-in-run-sandbox.patch @@ -0,0 +1,158 @@ +From edb21523aac45aa5628243599a296592a6b84d79 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Wed, 12 Feb 2025 11:18:46 +1400 +Subject: [PATCH 192/198] modify save step in run sandbox + +Signed-off-by: zhongtao +--- + .../v1/v1_cri_pod_sandbox_manager_service.cc | 55 +++++++------------ + 1 file changed, 19 insertions(+), 36 deletions(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 62464acd..8a7779ad 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -325,7 +325,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptrCreate(error); + if (error.NotEmpty()) { + ERROR("Failed to create sandbox: %s", sandboxName.c_str()); +@@ -337,7 +337,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptrStart(error); + if (error.NotEmpty()) { + ERROR("Failed to start sandbox: %s", sandboxName.c_str()); + return; + } + +- // Step 7.2.4:Setup networking for the sandbox. ++ // Step 8.2.4:Setup networking for the sandbox. + SetupSandboxNetwork(sandbox, network_setting_json, error); + if (error.NotEmpty()) { + goto stop_sandbox; + } + +- // Step 7.2.5:update Network settings after setup network to update ip info. ++ // Step 8.2.5:update Network settings after setup network to update ip info. + if (namespace_is_cni(networkMode.c_str())) { + Errors tmpErr; + sandbox->UpdateNetworkSettings(network_setting_json, tmpErr); +@@ -378,23 +378,7 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptrSave(error); +- if (error.NotEmpty()) { +- ERROR("Failed to save sandbox, %s", sandboxName.c_str()); +- goto cleanup_network; +- } + return; +- +-cleanup_network: +- if (namespace_is_cni(sandbox->GetNetMode().c_str())) { +- Errors clearErr; +- ClearCniNetwork(sandbox, clearErr); +- if (clearErr.NotEmpty()) { +- ERROR("Failed to clean cni network: %s", clearErr.GetCMessage()); +- } +- } +- + stop_sandbox: + Errors stopError; + CRIHelpers::StopContainerHelper(m_cb, sandbox->GetId(), 0, stopError); +@@ -406,21 +390,14 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptrSave(error); +- if (error.NotEmpty()) { +- ERROR("Failed to save sandbox, %s", sandboxName.c_str()); +- goto cleanup_network; +- } +- +- // Step 7.1.3: Call sandbox create. ++ // Step 8.1.2: Call sandbox create. + sandbox->Create(error); + if (error.NotEmpty()) { + ERROR("Failed to create sandbox: %s", sandboxName.c_str()); +@@ -432,7 +409,7 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptrStart(error); + if (error.NotEmpty()) { + ERROR("Failed to start sandbox: %s", sandboxName.c_str()); + // If start failed, sandbox should be NotReady, we cleanup network, but delete sandbox in remove + goto cleanup_network; + } +- + return; + + cleanup_network: +@@ -531,15 +507,22 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig + goto clean_ns; + } + ++ // Step 7: Save sandbox metadate to disk for sandbox instance create success ++ sandbox->Save(error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to save sandbox, %s", sandboxName.c_str()); ++ goto clean_ns; ++ } ++ + CRIHelpers::ProtobufAnnoMapToStd(sandbox->GetSandboxConfig().annotations(), stdAnnos); +- // Step 7: According to the annotation and network namespace mode, ++ // Step 8: According to the annotation and network namespace mode, + // determine the order of start sandbox and setup network. + // tips: clean sandbox and network in sub function. + if (CRIHelpers::SetupNetworkFirst(stdAnnos)) { +- // Step 7.1: Setup networking for the sandbox, and then start the sandbox container. ++ // Step 8.1: Setup networking for the sandbox, and then start the sandbox container. + SetupNetowrkAndStartPodSandbox(sandbox, sandboxName, networkMode, error); + } else { +- // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox. ++ // Step 8.2: (Default)Start the sandbox container, and then setup networking for the sandbox. + // why: Some kata multi-network plane plugins (such as configuring vfio device pass-through) + // need to be called after the pod is already running. + StartPodSandboxAndSetupNetowrk(sandbox, sandboxKey, sandboxName, networkMode, error); +-- +2.34.1 + diff --git a/0193-add-dt-for-cri-v1.patch b/0193-add-dt-for-cri-v1.patch new file mode 100644 index 0000000..2c206f5 --- /dev/null +++ b/0193-add-dt-for-cri-v1.patch @@ -0,0 +1,209 @@ +From bb2ed9b37d7c69b0af88487693826556321d46e9 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 11 Feb 2025 22:42:39 +0800 +Subject: [PATCH 193/198] add dt for cri v1 + +Signed-off-by: zhongtao +--- + CI/test_cases/container_cases/cri_stats.sh | 90 ++++++++++++++++++++++ + CI/test_cases/container_cases/cri_test.sh | 80 +++++++++++++++++++ + 2 files changed, 170 insertions(+) + create mode 100755 CI/test_cases/container_cases/cri_stats.sh + +diff --git a/CI/test_cases/container_cases/cri_stats.sh b/CI/test_cases/container_cases/cri_stats.sh +new file mode 100755 +index 00000000..f6acb397 +--- /dev/null ++++ b/CI/test_cases/container_cases/cri_stats.sh +@@ -0,0 +1,90 @@ ++#!/bin/bash ++# ++# attributes: isulad basic cri seccomp ++# concurrent: NA ++# spend time: 4 ++ ++####################################################################### ++##- Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved. ++# - iSulad licensed under the Mulan PSL v2. ++# - You can use this software according to the terms and conditions of the Mulan PSL v2. ++# - You may obtain a copy of Mulan PSL v2 at: ++# - http://license.coscl.org.cn/MulanPSL2 ++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# - PURPOSE. ++# - See the Mulan PSL v2 for more details. ++##- @Description:CI ++##- @Author: wangfengtu ++##- @Create: 2022-08-13 ++####################################################################### ++ ++source ../helpers.sh ++curr_path=$(dirname $(readlink -f "$0")) ++data_path=$(realpath $curr_path/criconfigs) ++pause_img_path=$(realpath $curr_path/test_data) ++ ++function do_pre() ++{ ++ sed -i "s#seccomp_localhost_ref#${data_path}/seccomp_localhost.json#g" ${data_path}/container-config-seccomp-localhost.json ++ ++ init_cri_conf $1 "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to init cri conf: ${1}" && return ${FAILURE} ++ ++ isula pull busybox ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull busybox" && return ${FAILURE} ++ ++ return 0 ++} ++ ++function do_post() ++{ ++ local ret=0 ++ restore_cri_conf "without_valgrind" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to restore cri conf" && ((ret++)) ++ return $ret ++} ++ ++function test_cri_stats() ++{ ++ local ret=0 ++ local test="cri stats test => (${FUNCNAME[@]})" ++ ++ msg_info "${test} starting..." ++ ++ sid=$(crictl runp ${data_path}/sandbox-config.json) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run sandbox" && ((ret++)) ++ ++ cid=$(crictl create $sid ${data_path}/container-config.json ${data_path}/sandbox-config.json) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to create container" && ((ret++)) ++ ++ crictl start $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start container" && ((ret++)) ++ ++ crictl statsp $sid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++)) ++ ++ crictl stats $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++declare -i ans=0 ++ ++for version in ${CRI_LIST[@]}; ++do ++ test="test_cri_test_fun, use cri version => (${version})" ++ msg_info "${test} starting..." ++ ++ do_pre $version || ((ans++)) ++ ++ test_cri_stats || ((ans++)) ++ ++ do_post || ((ans++)) ++ msg_info "${test} finished with return ${ans}..." ++done ++ ++show_result ${ans} "${curr_path}/${0}" ++ +diff --git a/CI/test_cases/container_cases/cri_test.sh b/CI/test_cases/container_cases/cri_test.sh +index ed333a28..6dc2291e 100755 +--- a/CI/test_cases/container_cases/cri_test.sh ++++ b/CI/test_cases/container_cases/cri_test.sh +@@ -45,6 +45,83 @@ function do_post() + return $ret + } + ++function test_cri_info() ++{ ++ local ret=0 ++ local image="busybox" ++ local test="cri info test => (${FUNCNAME[@]})" ++ ++ msg_info "${test} starting..." ++ ++ crictl info ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri info" && ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++function test_cri_list() ++{ ++ local ret=0 ++ local image="busybox" ++ local test="cri list test => (${FUNCNAME[@]})" ++ ++ msg_info "${test} starting..." ++ ++ sid=$(crictl runp ${data_path}/sandbox-config.json) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run sandbox" && ((ret++)) ++ ++ cid=$(crictl create $sid ${data_path}/container-config.json ${data_path}/sandbox-config.json) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to create container" && ((ret++)) ++ ++ crictl start $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to start container" && ((ret++)) ++ ++ crictl pods | grep "^${sid:0:5}" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri pod" && ((ret++)) ++ ++ crictl ps -a | grep "^${cid:0:5}" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri container" && ((ret++)) ++ ++ stop_isulad_without_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ ++ start_isulad_without_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ ++ crictl ps -a | grep "^${cid:0:5}" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri container after restart" && ((ret++)) ++ ++ crictl pods | grep "^${sid:0:5}" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri pod after restart" && ((ret++)) ++ ++ crictl rmp -f $(crictl pods -q) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++function test_cri_images() ++{ ++ local ret=0 ++ local image="busybox" ++ local test="cri images test => (${FUNCNAME[@]})" ++ ++ msg_info "${test} starting..." ++ ++ crictl pull $image ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image" && ((ret++)) ++ ++ crictl images | grep $image ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to list cri images" && ((ret++)) ++ ++ crictl rmi $image ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove image" && ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ + function test_cri_seccomp() + { + local ret=0 +@@ -97,6 +174,9 @@ do + test_cri_seccomp "default" || ((ans++)) + test_cri_seccomp "unconfined" || ((ans++)) + test_cri_seccomp "localhost" || ((ans++)) ++ test_cri_info || ((ans++)) ++ test_cri_list || ((ans++)) ++ test_cri_images || ((ans++)) + + do_post || ((ans++)) + msg_info "${test} finished with return ${ans}..." +-- +2.34.1 + diff --git a/0194-modify-the-CreateContainer-failed-return.patch b/0194-modify-the-CreateContainer-failed-return.patch new file mode 100644 index 0000000..d8caa45 --- /dev/null +++ b/0194-modify-the-CreateContainer-failed-return.patch @@ -0,0 +1,26 @@ +From b2bf7c101852a90fba3f7e85734fa887e3cd5fad Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Fri, 14 Feb 2025 15:23:21 +1400 +Subject: [PATCH 194/198] modify the CreateContainer failed return + +Signed-off-by: zhongtao +--- + src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index abf60c0c..fe1cca0c 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -486,7 +486,7 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb + // verify whether the sandbox is ready + if (!sandbox->IsReady()) { + error.Errorf("Failed to generate sandbox_info because the sandbox %s is not ready", sandbox->GetId().c_str()); +- return nullptr; ++ return response_id; + } + + #ifdef ENABLE_NRI +-- +2.34.1 + diff --git a/0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch b/0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch new file mode 100644 index 0000000..6d56842 --- /dev/null +++ b/0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch @@ -0,0 +1,379 @@ +From 94f867944d0f36ad77a488ab35f5555bf3c09c01 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Fri, 14 Feb 2025 14:48:25 +0800 +Subject: [PATCH 195/198] Add some unit tests for sandbox and shim controller + +Signed-off-by: xuxuepeng +--- + src/daemon/sandbox/sandbox.h | 2 +- + .../shim/controller/shim_controller.cc | 5 + + test/sandbox/controller/shim/CMakeLists.txt | 2 + + .../controller/shim/shim_controller_ut.cc | 123 +++++++++++++++++- + test/sandbox/sandbox/CMakeLists.txt | 5 + + test/sandbox/sandbox/sandbox_ut.cc | 64 ++++++++- + 6 files changed, 196 insertions(+), 5 deletions(-) + +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 9007ea16..0aeec826 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -118,6 +118,7 @@ public: + auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; + void SetNetworkReady(bool ready); + void SetNetworkMode(const std::string &networkMode); ++ void SetSandboxConfig(const runtime::v1::PodSandboxConfig &config); + auto FindAvailableVsockPort(uint32_t &port) -> bool; + void ReleaseVsockPort(uint32_t port); + auto CleanupSandboxFiles(Errors &error) -> bool; +@@ -162,7 +163,6 @@ private: + auto LoadMetadata(Errors &error) -> bool; + void LoadNetworkSetting(); + +- void SetSandboxConfig(const runtime::v1::PodSandboxConfig &config); + void SetNetworkSettings(const std::string &settings, Errors &error); + auto CreateHostname(bool shareHost, Errors &error) -> bool; + auto CreateHosts(bool shareHost, Errors &error) -> bool; +diff --git a/src/daemon/sandbox/shim/controller/shim_controller.cc b/src/daemon/sandbox/shim/controller/shim_controller.cc +index 7e4338f6..563a2f3d 100644 +--- a/src/daemon/sandbox/shim/controller/shim_controller.cc ++++ b/src/daemon/sandbox/shim/controller/shim_controller.cc +@@ -289,6 +289,11 @@ bool ShimController::Create(const std::string &sandboxId, + + std::unique_ptr ShimController::Start(const std::string &sandboxId, Errors &error) + { ++ if (m_cb == nullptr || m_cb->container.start == nullptr) { ++ ERROR("Unimplemented callback"); ++ error.SetError("Unimplemented callback"); ++ return nullptr; ++ } + std::unique_ptr sandboxInfo(new ControllerSandboxInfo()); + auto requestWrapper = makeUniquePtrCStructWrapper(free_container_start_request); + if (requestWrapper == nullptr) { +diff --git a/test/sandbox/controller/shim/CMakeLists.txt b/test/sandbox/controller/shim/CMakeLists.txt +index 069312c9..18f989f1 100644 +--- a/test/sandbox/controller/shim/CMakeLists.txt ++++ b/test/sandbox/controller/shim/CMakeLists.txt +@@ -28,6 +28,7 @@ add_executable(${EXE} + + target_include_directories(${EXE} PUBLIC + ${GTEST_INCLUDE_DIR} ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../include + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common/cri + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/common/cri/v1 +@@ -52,6 +53,7 @@ target_include_directories(${EXE} PUBLIC + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1 + ) + ++set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,isula_common_calloc_s") + target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lgrpc++ -lprotobuf -lcrypto -lyajl -lz) + target_link_libraries(${EXE} -Wl,--as-needed ${ISULAD_ABSL_USED_TARGETS}) + add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml) +diff --git a/test/sandbox/controller/shim/shim_controller_ut.cc b/test/sandbox/controller/shim/shim_controller_ut.cc +index 75a51797..d85a87b2 100644 +--- a/test/sandbox/controller/shim/shim_controller_ut.cc ++++ b/test/sandbox/controller/shim/shim_controller_ut.cc +@@ -21,6 +21,12 @@ + #include "image_api_mock.h" + #include "service_container_api_mock.h" + #include "shim_controller.h" ++#include "mock.h" ++ ++extern "C" { ++ DECLARE_WRAPPER(isula_common_calloc_s, void *, (size_t size)); ++ DEFINE_WRAPPER(isula_common_calloc_s, void *, (size_t size), (size)); ++} + + class ShimControllerTest : public testing::Test { + protected: +@@ -76,6 +82,32 @@ TEST_F(ShimControllerTest, CreateTestFailed) + EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err)); + } + ++TEST_F(ShimControllerTest, CreateTestContainerCallbackNullPtrError) ++{ ++ Errors err; ++ std::unique_ptr params = CreateTestCreateParams(); ++ // shim controller create needs linux config. ++ (void)params->config->mutable_linux(); ++ (void)params->config->mutable_linux()->mutable_resources(); ++ auto callback = get_service_executor(); ++ auto tmp_create = callback->container.create; ++ callback->container.create = nullptr; ++ EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err)); ++ callback->container.create = tmp_create; ++} ++ ++TEST_F(ShimControllerTest, CreateTestContainerCallocError) ++{ ++ Errors err; ++ std::unique_ptr params = CreateTestCreateParams(); ++ // shim controller create needs linux config. ++ (void)params->config->mutable_linux(); ++ (void)params->config->mutable_linux()->mutable_resources(); ++ MOCK_SET(isula_common_calloc_s, nullptr); ++ EXPECT_FALSE(m_contoller->Create(DUMMY_SANDBOX_ID, *params, err)); ++ MOCK_CLEAR(isula_common_calloc_s); ++} ++ + /************* Unit tests for Start *************/ + TEST_F(ShimControllerTest, StartTestSucceed) + { +@@ -99,7 +131,6 @@ TEST_F(ShimControllerTest, StartTestSucceed) + EXPECT_EQ(ret->pid, 1234); + } + +-/************* Unit tests for Start *************/ + TEST_F(ShimControllerTest, StartTestFailed) + { + Errors err; +@@ -108,6 +139,24 @@ TEST_F(ShimControllerTest, StartTestFailed) + EXPECT_EQ(ret, nullptr); + } + ++TEST_F(ShimControllerTest, StartTestContainerCallbackNullPtrError) ++{ ++ Errors err; ++ auto callback = get_service_executor(); ++ auto tmp_start = callback->container.start; ++ callback->container.start = nullptr; ++ EXPECT_FALSE(m_contoller->Start(DUMMY_SANDBOX_ID, err)); ++ callback->container.start = tmp_start; ++} ++ ++TEST_F(ShimControllerTest, StartTestContainerCallocError) ++{ ++ Errors err; ++ MOCK_SET(isula_common_calloc_s, nullptr); ++ EXPECT_FALSE(m_contoller->Start(DUMMY_SANDBOX_ID, err)); ++ MOCK_CLEAR(isula_common_calloc_s); ++} ++ + /************* Unit tests for Stop *************/ + TEST_F(ShimControllerTest, StopTestSucceed) + { +@@ -123,6 +172,24 @@ TEST_F(ShimControllerTest, StopTestFailed) + EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err)); + } + ++TEST_F(ShimControllerTest, StopTestContainerCallbackNullPtrError) ++{ ++ Errors err; ++ auto callback = get_service_executor(); ++ auto tmp_stop = callback->container.stop; ++ callback->container.stop = nullptr; ++ EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err)); ++ callback->container.stop = tmp_stop; ++} ++ ++TEST_F(ShimControllerTest, StopTestContainerCallocError) ++{ ++ Errors err; ++ MOCK_SET(isula_common_calloc_s, nullptr); ++ EXPECT_FALSE(m_contoller->Stop(DUMMY_SANDBOX_ID, 0, err)); ++ MOCK_CLEAR(isula_common_calloc_s); ++} ++ + /************* Unit tests for Status *************/ + TEST_F(ShimControllerTest, StatusTestSucceed) + { +@@ -167,3 +234,57 @@ TEST_F(ShimControllerTest, ShutdownTestFailed) + EXPECT_CALL(*m_containerCallbackMock, ContainerRemove).Times(1).WillOnce(testing::Return(1)); + EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err)); + } ++ ++TEST_F(ShimControllerTest, ShutdownTestContainerCallbackNullPtrError) ++{ ++ Errors err; ++ auto callback = get_service_executor(); ++ auto tmp_remove = callback->container.remove; ++ callback->container.remove = nullptr; ++ EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err)); ++ callback->container.remove = tmp_remove; ++} ++ ++TEST_F(ShimControllerTest, ShutdownTestContainerCallocError) ++{ ++ Errors err; ++ MOCK_SET(isula_common_calloc_s, nullptr); ++ EXPECT_FALSE(m_contoller->Shutdown(DUMMY_SANDBOX_ID, err)); ++ MOCK_CLEAR(isula_common_calloc_s); ++} ++ ++/*********** Unit tests for Platform ***********/ ++TEST_F(ShimControllerTest, PlatformTestSucceed) ++{ ++ Errors err; ++ // Not support yet ++ std::unique_ptr ret = m_contoller->Platform(DUMMY_SANDBOX_ID, err); ++ EXPECT_EQ(ret, nullptr); ++} ++ ++/*********** Unit tests for Update ***********/ ++TEST_F(ShimControllerTest, UpdateTestSucceed) ++{ ++ Errors err; ++ // Shim Controller update is always true ++ EXPECT_TRUE(m_contoller->Update(nullptr, nullptr, err)); ++} ++ ++/*********** Unit tests for UpdateNetworkSettings ***********/ ++TEST_F(ShimControllerTest, UpdateNetworkSettingsTestCallbackNullPtrError) ++{ ++ Errors err; ++ auto callback = get_service_executor(); ++ auto tmp_update_network_settings = callback->container.update_network_settings; ++ callback->container.update_network_settings = nullptr; ++ EXPECT_FALSE(m_contoller->UpdateNetworkSettings(DUMMY_SANDBOX_ID, "networkSettings", err)); ++ callback->container.update_network_settings = tmp_update_network_settings; ++} ++ ++TEST_F(ShimControllerTest, UpdateNetworkSettingsTestContainerCallocError) ++{ ++ Errors err; ++ MOCK_SET(isula_common_calloc_s, nullptr); ++ EXPECT_FALSE(m_contoller->UpdateNetworkSettings(DUMMY_SANDBOX_ID, "networkSettings", err)); ++ MOCK_CLEAR(isula_common_calloc_s); ++} +diff --git a/test/sandbox/sandbox/CMakeLists.txt b/test/sandbox/sandbox/CMakeLists.txt +index 358633dc..3a249f90 100644 +--- a/test/sandbox/sandbox/CMakeLists.txt ++++ b/test/sandbox/sandbox/CMakeLists.txt +@@ -29,7 +29,9 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/transform.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils/cxxutils.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox.cc ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_ops.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/controller_manager.cc ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox/sandbox_manager.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common/id_name_manager.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config/isulad_config.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/sandbox/controller/controller_common.cc +@@ -43,6 +45,7 @@ target_include_directories(${EXE} PUBLIC + ${GTEST_INCLUDE_DIR} + ${sandbox_dir} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../include + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/config + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/entry/cri +@@ -54,10 +57,12 @@ target_include_directories(${EXE} PUBLIC + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/sandbox + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/daemon/common + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cpputils ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri + ${CMAKE_BINARY_DIR}/grpc/src/api/services/cri/v1 + ) + ++set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,util_file_exists -Wl,--wrap,mount") + target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lgrpc -lgrpc++ -lprotobuf -lcrypto -lyajl -lz) + target_link_libraries(${EXE} -Wl,--as-needed ${ISULAD_ABSL_USED_TARGETS}) + add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml) +diff --git a/test/sandbox/sandbox/sandbox_ut.cc b/test/sandbox/sandbox/sandbox_ut.cc +index dd84d8fb..7534d67a 100644 +--- a/test/sandbox/sandbox/sandbox_ut.cc ++++ b/test/sandbox/sandbox/sandbox_ut.cc +@@ -14,8 +14,22 @@ + */ + + #include +- ++#include + #include "sandbox.h" ++#include "sandbox_ops.h" ++#include "mock.h" ++#include "utils_file.h" ++ ++extern "C" { ++ DECLARE_WRAPPER(util_file_exists, bool, (const char * path)); ++ DEFINE_WRAPPER(util_file_exists, bool, (const char * path), (path)); ++ DECLARE_WRAPPER(mount, int, (const char *__special_file, const char *__dir, ++ const char *__fstype, unsigned long int __rwflag, ++ const void *__data)); ++ DEFINE_WRAPPER(mount, int, (const char *__special_file, const char *__dir, ++ const char *__fstype, unsigned long int __rwflag, ++ const void *__data), (__special_file, __dir, __fstype, __rwflag, __data)); ++} + + namespace sandbox { + +@@ -39,8 +53,10 @@ TEST_F(SandboxTest, TestDefaultGetters) + std::string sandbox_statedir = statedir + "/" + id; + std::string name = "test"; + RuntimeInfo info = {"runc", "shim", "kuasar"}; ++ std::shared_ptr pod_config = std::make_shared(); ++ pod_config->set_hostname("test"); + +- auto sandbox = new Sandbox(id, rootdir, statedir, name, info); ++ auto sandbox = std::unique_ptr(new Sandbox(id, rootdir, statedir, name, info)); + ASSERT_NE(sandbox, nullptr); + + ASSERT_EQ(sandbox->IsReady(), false); +@@ -57,6 +73,8 @@ TEST_F(SandboxTest, TestDefaultGetters) + ASSERT_EQ(sandbox->GetStatsInfo().cpuUseNanos, 0); + ASSERT_EQ(sandbox->GetNetworkReady(), false); + ASSERT_STREQ(sandbox->GetNetMode().c_str(), DEFAULT_NETMODE.c_str()); ++ sandbox->SetSandboxConfig(*pod_config); ++ ASSERT_STREQ(sandbox->GetMutableSandboxConfig()->hostname().c_str(), pod_config->hostname().c_str()); + } + + TEST_F(SandboxTest, TestGettersAndSetters) +@@ -66,7 +84,7 @@ TEST_F(SandboxTest, TestGettersAndSetters) + std::string statedir = "/test2/statedir"; + std::string mode = "host"; + +- auto sandbox = new Sandbox(id, rootdir, statedir); ++ auto sandbox = std::unique_ptr(new Sandbox(id, rootdir, statedir)); + ASSERT_NE(sandbox, nullptr); + + sandbox->SetNetMode(mode); +@@ -93,4 +111,44 @@ TEST_F(SandboxTest, TestGettersAndSetters) + EXPECT_TRUE(sandbox->GetNetworkReady()); + } + ++TEST_F(SandboxTest, TestCreateDefaultResolveConf) ++{ ++ std::string id = "34567890"; ++ std::string rootdir = "/tmp/test3/rootdir"; ++ std::string statedir = "/tmp/test3/statedir"; ++ std::string name = "test"; ++ RuntimeInfo info = {"runc", "shim", "kuasar"}; ++ std::string host_nework = "host"; ++ Errors error; ++ ++ auto sandbox = std::unique_ptr(new Sandbox(id, rootdir, statedir, name, info, host_nework)); ++ ASSERT_NE(sandbox, nullptr); ++ MOCK_SET(util_file_exists, false); ++ MOCK_SET(mount, 0); ++ sandbox->PrepareSandboxDirs(error); ++ ASSERT_TRUE(error.Empty()); ++ MOCK_CLEAR(util_file_exists); ++ MOCK_CLEAR(mount); ++ const std::string RESOLVE_CONF = "\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n"; ++ std::string RESOLVE_PATH = rootdir + "/" + id + "/resolv.conf"; ++ ASSERT_TRUE(util_file_exists(RESOLVE_PATH.c_str())); ++ std::ifstream f(RESOLVE_PATH); ++ std::string line; ++ std::string content = ""; ++ while (std::getline(f, line)) { ++ content += line; ++ content +="\n"; ++ } ++ f.close(); ++ ASSERT_STREQ(RESOLVE_CONF.c_str(), content.c_str()); ++ sandbox->CleanupSandboxDirs(); ++ ASSERT_FALSE(util_file_exists(RESOLVE_PATH.c_str())); ++} ++ ++TEST_F(SandboxTest, TestSandboxOpsOnExitFailed) ++{ ++ ASSERT_EQ(sandbox_on_sandbox_exit(nullptr, 0), -1); ++ ASSERT_EQ(sandbox_on_sandbox_exit("12345678", 0), -1); ++} ++ + } +\ No newline at end of file +-- +2.34.1 + diff --git a/0196-add-remove-pod-in-cri-stats.patch b/0196-add-remove-pod-in-cri-stats.patch new file mode 100644 index 0000000..576db7b --- /dev/null +++ b/0196-add-remove-pod-in-cri-stats.patch @@ -0,0 +1,26 @@ +From a478553bc957d0cd684883ad63fec6a639631658 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 17 Feb 2025 16:27:10 +0800 +Subject: [PATCH 196/198] add remove pod in cri stats + +Signed-off-by: zhongtao +--- + CI/test_cases/container_cases/cri_stats.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/CI/test_cases/container_cases/cri_stats.sh b/CI/test_cases/container_cases/cri_stats.sh +index f6acb397..72fb2856 100755 +--- a/CI/test_cases/container_cases/cri_stats.sh ++++ b/CI/test_cases/container_cases/cri_stats.sh +@@ -66,6 +66,8 @@ function test_cri_stats() + + crictl stats $cid + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to get cri stats" && ((ret++)) ++ ++ crictl rmp -f $(crictl pods -q) + + msg_info "${test} finished with return ${ret}..." + return ${ret} +-- +2.34.1 + diff --git a/0197-coco-support-confidential-containers.patch b/0197-coco-support-confidential-containers.patch new file mode 100644 index 0000000..4cbd469 --- /dev/null +++ b/0197-coco-support-confidential-containers.patch @@ -0,0 +1,539 @@ +From 2edae8a425ae3442ee73469ca3fd2f3bf9422301 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Mon, 16 Dec 2024 17:11:04 +0800 +Subject: [PATCH 197/198] coco:support confidential containers + +Signed-off-by: liuxu +--- + cmake/options.cmake | 11 +++ + src/common/constants.h | 6 ++ + src/daemon/common/cri/v1/v1_cri_helpers.cc | 71 +++++++++++++--- + src/daemon/common/cri/v1/v1_cri_helpers.h | 4 + + .../v1/v1_cri_container_manager_service.cc | 5 ++ + .../v1/v1_cri_pod_sandbox_manager_service.cc | 14 +++- + .../executor/container_cb/execution_create.c | 12 +++ + src/daemon/modules/api/image_api.h | 3 + + src/daemon/modules/image/CMakeLists.txt | 10 +++ + src/daemon/modules/image/image.c | 46 +++++++++++ + .../modules/image/remote/CMakeLists.txt | 13 +++ + .../modules/image/remote/remote_image.c | 81 +++++++++++++++++++ + .../modules/image/remote/remote_image.h | 40 +++++++++ + .../sandbox/sandboxer/sandboxer_sandbox.cc | 10 ++- + 14 files changed, 308 insertions(+), 18 deletions(-) + create mode 100644 src/daemon/modules/image/remote/CMakeLists.txt + create mode 100644 src/daemon/modules/image/remote/remote_image.c + create mode 100644 src/daemon/modules/image/remote/remote_image.h + +diff --git a/cmake/options.cmake b/cmake/options.cmake +index 018502d7..efbd0a52 100644 +--- a/cmake/options.cmake ++++ b/cmake/options.cmake +@@ -62,6 +62,17 @@ if (ENABLE_SANDBOXER STREQUAL "ON") + endif() + endif() + ++option(ENABLE_REMOTE_IMAGE "Enable remote image" OFF) ++if (ENABLE_REMOTE_IMAGE STREQUAL "ON") ++ if (ENABLE_SANDBOXER) ++ add_definitions(-DENABLE_REMOTE_IMAGE) ++ set(ENABLE_REMOTE_IMAGE 1) ++ message("${Green}-- Enable remote image${ColourReset}") ++ else() ++ message("${Yellow}-- Can not enable remote image, remote image need enable sandboxer first ${ColourReset}") ++ endif() ++endif() ++ + option(ENABLE_OOM_MONITOR "Enable oom monitor" ON) + if (ENABLE_OOM_MONITOR STREQUAL "ON") + add_definitions(-DENABLE_OOM_MONITOR) +diff --git a/src/common/constants.h b/src/common/constants.h +index 8a6f86d8..7759896f 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -218,6 +218,12 @@ typedef enum { WAIT_CONDITION_STOPPED = 0, WAIT_CONDITION_REMOVED = 1 } wait_con + #define CRI_CONTAINER_TYPE_LABEL_KEY "cri.isulad.type" + #define CRI_CONTAINER_TYPE_LABEL_SANDBOX "podsandbox" + ++#ifdef ENABLE_REMOTE_IMAGE ++// Note: Currently, remote image is used only in confidentail container, so the image is supposed to be encrypted ++#define SANDBOX_IMAGE_TYPE_REMOTE "remote" ++#define IMAGE_NAME_COCO "[Encrypted]" ++#endif ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc +index d71e3681..48dcfb45 100644 +--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc ++++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc +@@ -325,10 +325,32 @@ void AddSecurityOptsToHostConfig(std::vector &securityOpts, host_co + } + + #ifdef ENABLE_SANDBOXER ++static defs_map_string_object_sandboxer_element *GetCRISandboxer( ++ const std::string &runtime, struct service_arguments *args) ++{ ++ defs_map_string_object_sandboxer_element *criSandboxer = nullptr; ++ defs_map_string_object_sandboxer *criSandboxerList = nullptr; ++ ++ criSandboxerList = args->json_confs->cri_sandboxers; ++ for (size_t i = 0; i < criSandboxerList->len; i++) { ++ if (criSandboxerList->keys[i] == nullptr || criSandboxerList->values[i] == nullptr || ++ criSandboxerList->values[i]->name == nullptr) { ++ WARN("CRI runtimes key or value is null"); ++ continue; ++ } ++ ++ if (runtime == std::string(criSandboxerList->keys[i])) { ++ criSandboxer = criSandboxerList->values[i]; ++ break; ++ } ++ } ++ return criSandboxer; ++} ++ + std::string CRISandboxerConvert(const std::string &runtime) + { + std::string sandboxer; +- defs_map_string_object_sandboxer *criSandboxerList = nullptr; ++ defs_map_string_object_sandboxer_element *criSandboxer = nullptr; + + if (runtime.empty()) { + return DEFAULT_SANDBOXER_NAME; +@@ -346,24 +368,47 @@ std::string CRISandboxerConvert(const std::string &runtime) + } + + sandboxer = DEFAULT_SANDBOXER_NAME; +- criSandboxerList = args->json_confs->cri_sandboxers; +- for (size_t i = 0; i < criSandboxerList->len; i++) { +- if (criSandboxerList->keys[i] == nullptr || criSandboxerList->values[i] == nullptr || +- criSandboxerList->values[i]->name == nullptr) { +- WARN("CRI runtimes key or value is null"); +- continue; +- } +- +- if (runtime == std::string(criSandboxerList->keys[i])) { +- sandboxer = std::string(criSandboxerList->values[i]->name); +- break; +- } ++ criSandboxer = GetCRISandboxer(runtime, args); ++ if (criSandboxer != nullptr) { ++ sandboxer = std::string(criSandboxer->name); + } + + out: + (void)isulad_server_conf_unlock(); + return sandboxer; + } ++ ++#ifdef ENABLE_REMOTE_IMAGE ++std::string GetCRISandboxerImageType(const std::string &runtime) ++{ ++ std::string imageType = ""; ++ defs_map_string_object_sandboxer_element *criSandboxer = nullptr; ++ ++ if (runtime.empty()) { ++ return imageType; ++ } ++ ++ if (isulad_server_conf_rdlock()) { ++ ERROR("Lock isulad server conf failed"); ++ return imageType; ++ } ++ ++ struct service_arguments *args = conf_get_server_conf(); ++ if (args == nullptr || args->json_confs == nullptr || args->json_confs->cri_sandboxers == nullptr) { ++ ERROR("Cannot get cri sandboxer list"); ++ goto out; ++ } ++ ++ criSandboxer = GetCRISandboxer(runtime, args); ++ if (criSandboxer != nullptr && criSandboxer->image_type != nullptr) { ++ imageType = std::string(criSandboxer->image_type); ++ } ++ ++out: ++ (void)isulad_server_conf_unlock(); ++ return imageType; ++} ++#endif + #else + std::string CRISandboxerConvert(const std::string &runtime) + { +diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.h b/src/daemon/common/cri/v1/v1_cri_helpers.h +index 6a848581..4fd15d0b 100644 +--- a/src/daemon/common/cri/v1/v1_cri_helpers.h ++++ b/src/daemon/common/cri/v1/v1_cri_helpers.h +@@ -69,6 +69,10 @@ void AddSecurityOptsToHostConfig(std::vector &securityOpts, host_co + + std::string CRISandboxerConvert(const std::string &runtime); + ++#ifdef ENABLE_REMOTE_IMAGE ++std::string GetCRISandboxerImageType(const std::string &runtime); ++#endif ++ + void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc, + Errors &error); + #ifdef ENABLE_CDI +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index fe1cca0c..1cc584fb 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -371,6 +371,11 @@ auto ContainerManagerService::GenerateSandboxInfo( + } + + sandbox_info->sandboxer = util_strdup_s(sandbox.GetSandboxer().c_str()); ++#ifdef ENABLE_REMOTE_IMAGE ++ sandbox_info->image_type = util_strdup_s( ++ CRIHelpersV1::GetCRISandboxerImageType(sandbox.GetSandboxer()).c_str() ++ ); ++#endif + sandbox_info->id = util_strdup_s(sandbox.GetId().c_str()); + sandbox_info->pid = sandbox.GetPid(); + sandbox_info->task_address = util_strdup_s(sandbox.GetTaskAddress().c_str()); +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 8a7779ad..fd87e90b 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -468,11 +468,17 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig + // But pull image interface is only in CRI image service, and it can't be called in shim controller, + // so we pull image in CRI pod service. + const std::string &image = m_podSandboxImage; +- if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) { +- ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); +- error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); +- return response_id; ++#ifdef ENABLE_REMOTE_IMAGE ++ if (CRIHelpersV1::GetCRISandboxerImageType(runtimeInfo.sandboxer) != std::string(SANDBOX_IMAGE_TYPE_REMOTE)) { ++#endif ++ if (!EnsureSandboxImageExists(image, runtimeInfo.sandboxer, error)) { ++ ERROR("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); ++ error.Errorf("Failed to pull sandbox image %s: %s", image.c_str(), error.NotEmpty() ? error.GetCMessage() : ""); ++ return response_id; ++ } ++#ifdef ENABLE_REMOTE_IMAGE + } ++#endif + + // Step 3: Prepare sandbox checkpoint + PrepareSandboxCheckpoint(config, jsonCheckpoint, error); +diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c +index dcbdd1d3..6cd860c2 100644 +--- a/src/daemon/executor/container_cb/execution_create.c ++++ b/src/daemon/executor/container_cb/execution_create.c +@@ -1016,6 +1016,18 @@ static int get_request_container_info(const container_create_request *request, c + + static int get_request_image_info(const container_create_request *request, char **image_type, char **image_name) + { ++#ifdef ENABLE_REMOTE_IMAGE ++ if (is_container_in_sandbox(request->sandbox) && ++ strcmp(request->sandbox->image_type, IMAGE_TYPE_REMOTE) == 0) { ++ /* ++ * Note: Currently, remote image type and coco image type ++ * are considered to be the same type. ++ */ ++ *image_type = util_strdup_s(IMAGE_TYPE_REMOTE); ++ *image_name = util_strdup_s(IMAGE_NAME_COCO); ++ return 0; ++ } ++#endif + *image_type = im_get_image_type(request->image, request->rootfs); + if (*image_type == NULL) { + return -1; +diff --git a/src/daemon/modules/api/image_api.h b/src/daemon/modules/api/image_api.h +index f35cd013..062684c9 100644 +--- a/src/daemon/modules/api/image_api.h ++++ b/src/daemon/modules/api/image_api.h +@@ -41,6 +41,9 @@ extern "C" { + #define IMAGE_TYPE_OCI "oci" + #define IMAGE_TYPE_EMBEDDED "embedded" + #define IMAGE_TYPE_EXTERNAL "external" ++#ifdef ENABLE_REMOTE_IMAGE ++#define IMAGE_TYPE_REMOTE SANDBOX_IMAGE_TYPE_REMOTE ++#endif + + typedef struct { + char *image; +diff --git a/src/daemon/modules/image/CMakeLists.txt b/src/daemon/modules/image/CMakeLists.txt +index d8b78ce1..6d31a1ea 100644 +--- a/src/daemon/modules/image/CMakeLists.txt ++++ b/src/daemon/modules/image/CMakeLists.txt +@@ -33,6 +33,16 @@ if (ENABLE_EMBEDDED_IMAGE) + ) + endif() + ++if (ENABLE_REMOTE_IMAGE) ++ add_subdirectory(remote) ++ list(APPEND local_image_srcs ++ ${REMOTE_SRCS} ++ ) ++ list(APPEND local_image_incs ++ ${REMOTE_INCS} ++ ) ++endif() ++ + set(IMAGE_SRCS + ${local_image_srcs} + PARENT_SCOPE +diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c +index 871f5f39..baf2ba9d 100644 +--- a/src/daemon/modules/image/image.c ++++ b/src/daemon/modules/image/image.c +@@ -125,6 +125,10 @@ struct bim_type { + #include "oci_image.h" + #endif + ++#ifdef ENABLE_REMOTE_IMAGE ++#include "remote_image.h" ++#endif ++ + #ifdef ENABLE_EMBEDDED_IMAGE + #include "embedded_image.h" + #include "db_all.h" +@@ -243,6 +247,45 @@ static const struct bim_ops g_ext_ops = { + #endif + }; + ++#ifdef ENABLE_REMOTE_IMAGE ++/* remote */ ++static const struct bim_ops g_remote_ops = { ++ .init = NULL, ++ .clean_resource = NULL, ++ .detect = NULL, ++ ++ .prepare_rf = remote_prepare_rf, ++ .mount_rf = remote_mount_rf, ++ .umount_rf = remote_umount_rf, ++ .delete_rf = remote_delete_rf, ++ .delete_broken_rf = remote_delete_broken_rf, ++ .export_rf = NULL, ++ .get_dir_rf = NULL, ++ ++ .merge_conf = remote_merge_conf_rf, ++ .get_user_conf = remote_get_user_conf, ++ ++ .list_ims = NULL, ++ .get_image_count = NULL, ++ .rm_image = remote_rmi, ++ .inspect_image = NULL, ++ .resolve_image_name = remote_resolve_image_name, ++ .container_fs_usage = remote_container_filesystem_usage, ++ .get_filesystem_info = remote_get_filesystem_info, ++ .image_status = NULL, ++ .load_image = NULL, ++ .pull_image = NULL, ++ .login = NULL, ++ .logout = NULL, ++ .tag_image = NULL, ++ .import = NULL, ++ .image_summary = NULL, ++#ifdef ENABLE_IMAGE_SEARCH ++ .search_image = NULL, ++#endif ++}; ++#endif ++ + static const struct bim_type g_bims[] = { + #ifdef ENABLE_OCI_IMAGE + { +@@ -254,6 +297,9 @@ static const struct bim_type g_bims[] = { + #ifdef ENABLE_EMBEDDED_IMAGE + { .image_type = IMAGE_TYPE_EMBEDDED, .ops = &g_embedded_ops }, + #endif ++#ifdef ENABLE_REMOTE_IMAGE ++ { .image_type = IMAGE_TYPE_REMOTE, .ops = &g_remote_ops }, ++#endif + }; + + +diff --git a/src/daemon/modules/image/remote/CMakeLists.txt b/src/daemon/modules/image/remote/CMakeLists.txt +new file mode 100644 +index 00000000..6e7dab6d +--- /dev/null ++++ b/src/daemon/modules/image/remote/CMakeLists.txt +@@ -0,0 +1,13 @@ ++# get current directory sources files ++aux_source_directory(${CMAKE_CURRENT_SOURCE_DIR} local_remote_srcs) ++ ++set(REMOTE_SRCS ++ ${local_remote_srcs} ++ PARENT_SCOPE ++ ) ++ ++set(REMOTE_INCS ++ ${CMAKE_CURRENT_SOURCE_DIR} ++ PARENT_SCOPE ++ ) ++ +diff --git a/src/daemon/modules/image/remote/remote_image.c b/src/daemon/modules/image/remote/remote_image.c +new file mode 100644 +index 00000000..87b7593d +--- /dev/null ++++ b/src/daemon/modules/image/remote/remote_image.c +@@ -0,0 +1,81 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2026. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: liuxu ++ * Create: 2025-02-11 ++ * Explanation: provide remote image function ++ ******************************************************************************/ ++#include "remote_image.h" ++ ++#include ++ ++#include "utils.h" ++ ++ ++char *remote_resolve_image_name(const char *name) ++{ ++ return util_strdup_s(IMAGE_NAME_COCO); ++} ++ ++int remote_prepare_rf(const im_prepare_request *request, char **real_rootfs) ++{ ++ if (real_rootfs == NULL) { ++ ERROR("Failed to prepare remote rootfs, rootfs is NULL."); ++ return -1; ++ } ++ // real_rootfs will be changed by runtime when sandbox image type is "remote" ++ *real_rootfs = util_strdup_s("rootfs"); ++ return 0; ++} ++ ++int remote_rmi(const im_rmi_request *request) ++{ ++ return 0; ++} ++ ++int remote_get_filesystem_info(im_fs_info_response **response) ++{ ++ return 0; ++} ++ ++int remote_container_filesystem_usage(const im_container_fs_usage_request *request, imagetool_fs_info **fs_usage) ++{ ++ return 0; ++} ++ ++int remote_delete_broken_rf(const im_delete_rootfs_request *request) ++{ ++ return 0; ++} ++ ++int remote_delete_rf(const im_delete_rootfs_request *request) ++{ ++ return 0; ++} ++ ++int remote_umount_rf(const im_umount_request *request) ++{ ++ return 0; ++} ++ ++int remote_mount_rf(const im_mount_request *request) ++{ ++ return 0; ++} ++ ++int remote_merge_conf_rf(const char *img_name, container_config *container_spec) ++{ ++ return 0; ++} ++ ++int remote_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser) ++{ ++ return 0; ++} +diff --git a/src/daemon/modules/image/remote/remote_image.h b/src/daemon/modules/image/remote/remote_image.h +new file mode 100644 +index 00000000..be952129 +--- /dev/null ++++ b/src/daemon/modules/image/remote/remote_image.h +@@ -0,0 +1,40 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2025-2026. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: liuxu ++ * Create: 2025-02-11 ++ * Explanation: provide remote image function definition ++ ******************************************************************************/ ++#ifndef DAEMON_MODULES_IMAGE_REMOTE_IMAGE_H ++#define DAEMON_MODULES_IMAGE_REMOTE_IMAGE_H ++ ++#include "image_api.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++char *remote_resolve_image_name(const char *name); ++int remote_prepare_rf(const im_prepare_request *request, char **real_rootfs); ++int remote_rmi(const im_rmi_request *request); ++int remote_get_filesystem_info(im_fs_info_response **response); ++int remote_container_filesystem_usage(const im_container_fs_usage_request *request, imagetool_fs_info **fs_usage); ++int remote_delete_broken_rf(const im_delete_rootfs_request *request); ++int remote_delete_rf(const im_delete_rootfs_request *request); ++int remote_umount_rf(const im_umount_request *request); ++int remote_mount_rf(const im_mount_request *request); ++int remote_merge_conf_rf(const char *img_name, container_config *container_spec); ++int remote_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +index b2e2fb32..e26b87c8 100644 +--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc ++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +@@ -31,6 +31,8 @@ + #include "cxxutils.h" + #include "utils_timestamp.h" + #include "utils_array.h" ++#include "constants.h" ++#include "v1_cri_helpers.h" + + namespace sandbox { + +@@ -297,6 +299,12 @@ static defs_process *clone_defs_process(defs_process *process_spec) + + auto SandboxerSandbox::GenerateCtrlRootfs(sandbox_task *task, const char *baseFs) -> int + { ++#ifdef ENABLE_REMOTE_IMAGE ++ // do not mount image to vm for remote or confidential containers ++ if (CRIHelpersV1::GetCRISandboxerImageType(GetSandboxer()) == std::string(SANDBOX_IMAGE_TYPE_REMOTE)) { ++ return 0; ++ } ++#endif + size_t len = 1; + if (nullptr == baseFs) { + ERROR("Container %s has no base fs", task->task_id); +@@ -573,7 +581,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId, + } + process = process_wrapper->move(); + if (InitApiSandbox(apiSandbox) != 0) { +- ERROR("Failed to init %s api sandbox.", containerId); ++ ERROR("Failed to update %s api sandbox.", containerId); + goto del_out; + } + if (DoSandboxUpdate(apiSandbox) != 0) { +-- +2.34.1 + diff --git a/0198-isolate-isula-search-ut-in-registry_images_ut.patch b/0198-isolate-isula-search-ut-in-registry_images_ut.patch new file mode 100644 index 0000000..f7d5754 --- /dev/null +++ b/0198-isolate-isula-search-ut-in-registry_images_ut.patch @@ -0,0 +1,169 @@ +From 487191cf6bbedc14524056dd653bdc920e78f545 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Wed, 19 Feb 2025 11:52:59 +1400 +Subject: [PATCH 198/198] isolate isula search ut in registry_images_ut + +Signed-off-by: zhongtao +--- + test/image/oci/registry/CMakeLists.txt | 10 ++- + test/image/oci/registry/registry_ut.cc | 103 +++++++++++++------------ + 2 files changed, 61 insertions(+), 52 deletions(-) + +diff --git a/test/image/oci/registry/CMakeLists.txt b/test/image/oci/registry/CMakeLists.txt +index d78bb7d3..5ae59ebc 100644 +--- a/test/image/oci/registry/CMakeLists.txt ++++ b/test/image/oci/registry/CMakeLists.txt +@@ -2,7 +2,16 @@ project(iSulad_UT) + + SET(EXE registry_images_ut) + ++if(ENABLE_IMAGE_SEARCH) ++ set(search_srcs ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv1.c ++ ) ++else() ++ set(search_srcs "") ++endif() ++ + add_executable(${EXE} ++ ${search_srcs} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_regex.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_verify.c +@@ -34,7 +43,6 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv2.c +- ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/registry_apiv1.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/http_request.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/certs.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/image/oci/registry/auths.c +diff --git a/test/image/oci/registry/registry_ut.cc b/test/image/oci/registry/registry_ut.cc +index 4eacdb11..c5d9717c 100644 +--- a/test/image/oci/registry/registry_ut.cc ++++ b/test/image/oci/registry/registry_ut.cc +@@ -395,57 +395,6 @@ int invokeHttpRequestLogin(const char *url, struct http_get_options *options, lo + return 0; + } + +-int invokeHttpRequestSearch(const char *url, struct http_get_options *options, long *response_code, int recursive_len) +-{ +-#define RETRY_TIMES 3 +-#define SEARCH_TEST_NOT_FOUND 2 +-#define SEARCH_TEST_SERVER_ERROR 5 +-#define SEARCH_TEST_RETRY_SUCCESS 8 +- std::string file; +- char *data = nullptr; +- Buffer *output_buffer = (Buffer *)options->output; +- static int search_count = 0; +- +- ERROR("url is %s", url); +- ERROR("search_count is %d", search_count); +- +- std::string data_path = get_dir() + "/data/oci/"; +- if (strcmp(url, "https://index.docker.io/v1/_ping") == 0) { +- file = data_path + "ping_v1_head"; +- } else if (util_has_prefix(url, "https://index.docker.io/v1/search?q=busybox")) { +- search_count++; +- // test not find +- if (search_count >= SEARCH_TEST_NOT_FOUND && search_count < SEARCH_TEST_NOT_FOUND + RETRY_TIMES) { +- file = data_path + "search_result_404"; +- } +- // test server error and restry +- else if ((search_count >= SEARCH_TEST_SERVER_ERROR && search_count < SEARCH_TEST_SERVER_ERROR + RETRY_TIMES) || +- (search_count == SEARCH_TEST_RETRY_SUCCESS)) { +- file = data_path + "search_server_error"; +- } else { +- file = data_path + "search_result"; +- } +- } else { +- ERROR("%s not match failed", url); +- return -1; +- } +- +- data = util_read_text_file(file.c_str()); +- if (data == nullptr) { +- ERROR("read file %s failed", file.c_str()); +- return -1; +- } +- +- if (options->outputtype == HTTP_REQUEST_STRBUF) { +- free(output_buffer->contents); +- output_buffer->contents = util_strdup_s(data); +- } +- free(data); +- +- return 0; +-} +- +- + int invokeStorageImgCreate(const char *id, const char *parent_id, const char *metadata, + struct storage_img_create_options *opts) + { +@@ -921,6 +870,57 @@ TEST_F(RegistryUnitTest, test_cleanup) + ASSERT_EQ(remove_certs(mirror_dir), 0); + } + ++#ifdef ENABLE_IMAGE_SEARCH ++int invokeHttpRequestSearch(const char *url, struct http_get_options *options, long *response_code, int recursive_len) ++{ ++#define RETRY_TIMES 3 ++#define SEARCH_TEST_NOT_FOUND 2 ++#define SEARCH_TEST_SERVER_ERROR 5 ++#define SEARCH_TEST_RETRY_SUCCESS 8 ++ std::string file; ++ char *data = nullptr; ++ Buffer *output_buffer = (Buffer *)options->output; ++ static int search_count = 0; ++ ++ ERROR("url is %s", url); ++ ERROR("search_count is %d", search_count); ++ ++ std::string data_path = get_dir() + "/data/oci/"; ++ if (strcmp(url, "https://index.docker.io/v1/_ping") == 0) { ++ file = data_path + "ping_v1_head"; ++ } else if (util_has_prefix(url, "https://index.docker.io/v1/search?q=busybox")) { ++ search_count++; ++ // test not find ++ if (search_count >= SEARCH_TEST_NOT_FOUND && search_count < SEARCH_TEST_NOT_FOUND + RETRY_TIMES) { ++ file = data_path + "search_result_404"; ++ } ++ // test server error and restry ++ else if ((search_count >= SEARCH_TEST_SERVER_ERROR && search_count < SEARCH_TEST_SERVER_ERROR + RETRY_TIMES) || ++ (search_count == SEARCH_TEST_RETRY_SUCCESS)) { ++ file = data_path + "search_server_error"; ++ } else { ++ file = data_path + "search_result"; ++ } ++ } else { ++ ERROR("%s not match failed", url); ++ return -1; ++ } ++ ++ data = util_read_text_file(file.c_str()); ++ if (data == nullptr) { ++ ERROR("read file %s failed", file.c_str()); ++ return -1; ++ } ++ ++ if (options->outputtype == HTTP_REQUEST_STRBUF) { ++ free(output_buffer->contents); ++ output_buffer->contents = util_strdup_s(data); ++ } ++ free(data); ++ ++ return 0; ++} ++ + TEST_F(RegistryUnitTest, test_search_image) + { + registry_search_options *options = nullptr; +@@ -971,3 +971,4 @@ TEST_F(RegistryUnitTest, test_search_image) + + free_registry_search_options(options); + } ++#endif +\ No newline at end of file +-- +2.34.1 + diff --git a/0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch b/0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch new file mode 100644 index 0000000..9f96200 --- /dev/null +++ b/0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch @@ -0,0 +1,80 @@ +From c61807c0f18022117fc02889b42d87ec19e9d1e9 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 22 Feb 2025 10:38:59 +1400 +Subject: [PATCH 1/2] move sandbox network_ready from metadata to state for + save optimization + +Signed-off-by: zhongtao +--- + src/daemon/sandbox/sandbox.cc | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index b97c0bc6..33d7f63f 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -431,7 +431,11 @@ auto Sandbox::UpdateStatsInfo(const StatsInfo &info) -> StatsInfo + + void Sandbox::SetNetworkReady(bool ready) + { ++ Errors tmp_error; + m_networkReady = ready; ++ if (!SaveState(tmp_error)) { ++ ERROR("Failed to save sandbox state, %s for %s", m_id.c_str(), tmp_error.GetMessage().c_str()); ++ } + } + + auto Sandbox::Save(Errors &error) -> bool +@@ -504,6 +508,8 @@ auto Sandbox::Load(Errors &error) -> bool + return true; + } + ++// no need to save state after recovery ++// when restarting isulad, the status will be updated again and wait sandbox + void Sandbox::OnSandboxReady() + { + WriteGuard lock(m_stateMutex); +@@ -514,6 +520,8 @@ void Sandbox::OnSandboxReady() + m_state.status = SANDBOX_STATUS_RUNNING; + } + ++// no need to save intermediate state ++// when restarting isulad, the status will be updated again and wait sandbox + void Sandbox::OnSandboxPending() + { + WriteGuard lock(m_stateMutex); +@@ -842,6 +850,7 @@ auto Sandbox::SaveState(Errors &error) -> bool + state.pid = m_state.pid; + state.status = m_state.status; + state.updated_at = m_state.updatedAt; ++ state.network_ready = m_networkReady; + + stateJson = GenerateSandboxStateJson(&state); + if (stateJson.length() == 0) { +@@ -953,6 +962,7 @@ auto Sandbox::LoadState(Errors &error) -> bool + m_state.createdAt = state->get()->created_at; + m_state.updatedAt = state->get()->updated_at; + m_state.status = (SandboxStatus)state->get()->status; ++ m_networkReady = state->get()->network_ready; + + return true; + } +@@ -1005,7 +1015,6 @@ auto Sandbox::LoadMetadata(Errors &error) -> bool + m_runtimeInfo.sandboxer = std::string(metadata->get()->runtime_info->sandboxer); + m_runtimeInfo.runtimeHandler = std::string(metadata->get()->runtime_info->runtime_handler); + m_netMode = std::string(metadata->get()->net_mode); +- m_networkReady = metadata->get()->network_ready; + m_taskAddress = std::string(metadata->get()->task_address); + m_netNsPath = std::string(metadata->get()->net_ns_path); + +@@ -1125,7 +1134,6 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) + metadata->runtime_info->runtime_handler = util_strdup_s(m_runtimeInfo.runtimeHandler.c_str()); + + metadata->net_mode = util_strdup_s(m_netMode.c_str()); +- metadata->network_ready = m_networkReady; + metadata->task_address = util_strdup_s(m_taskAddress.c_str()); + metadata->net_ns_path = util_strdup_s(m_netNsPath.c_str()); + +-- +2.43.0 + diff --git a/0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch b/0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch new file mode 100644 index 0000000..e3783b4 --- /dev/null +++ b/0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch @@ -0,0 +1,91 @@ +From e980d889e5af64219cbb1bf7ec4ebaa14c05588a Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 24 Feb 2025 15:10:28 +1400 +Subject: [PATCH 2/2] clean sandbox when create failed to be consisent with CRI + v1alpha + +Signed-off-by: zhongtao +--- + .../v1/v1_cri_pod_sandbox_manager_service.cc | 25 +++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index fd87e90b..35f968e8 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -324,12 +324,14 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptrCreate(error); + if (error.NotEmpty()) { + ERROR("Failed to create sandbox: %s", sandboxName.c_str()); +- return; ++ // clean_sandbox to be consisent with CRI v1alpha ++ goto cleanup_sandbox; + } + + msg.container_id = sandbox->GetId().c_str(); +@@ -380,15 +382,21 @@ void PodSandboxManagerService::StartPodSandboxAndSetupNetowrk(std::shared_ptrGetId(), 0, stopError); + WARN("Error stop container: %s: %s", sandbox->GetId().c_str(), stopError.GetCMessage()); ++ return; ++cleanup_sandbox: ++ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error); ++ if (error.NotEmpty()) { ++ WARN("Error remove container: %s: %s", sandbox->GetId().c_str(), error.GetCMessage()); ++ } + } + + void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptr sandbox, std::string &sandboxName, std::string &networkMode, Errors &error) + { + cri_container_message_t msg = { 0 }; + std::string network_setting_json; ++ bool clean_sandbox = true; + + // Step 8.1.1: Setup networking for the sandbox. + // Setup sandbox network before create sandbox since the remote create might fail for sandbox +@@ -404,6 +412,8 @@ void PodSandboxManagerService::SetupNetowrkAndStartPodSandbox(std::shared_ptrGetId().c_str(); + msg.sandbox_id = sandbox->GetId().c_str(); + msg.type = CRI_CONTAINER_MESSAGE_TYPE_CREATED; +@@ -438,6 +448,13 @@ cleanup_network: + return; + } + } ++ if (clean_sandbox) { ++ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error); ++ if (error.NotEmpty()) { ++ WARN("Error remove sanbox: %s: %s", sandbox->GetId().c_str(), error.GetCMessage()); ++ } ++ } ++ + } + + auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig &config, +@@ -517,6 +534,10 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1::PodSandboxConfig + sandbox->Save(error); + if (error.NotEmpty()) { + ERROR("Failed to save sandbox, %s", sandboxName.c_str()); ++ sandbox::SandboxManager::GetInstance()->DeleteSandbox(sandbox->GetId(), error); ++ if (error.NotEmpty()) { ++ WARN("Error remove sanbox: %s: %s", sandbox->GetId().c_str(), error.GetCMessage()); ++ } + goto clean_ns; + } + +-- +2.43.0 + diff --git a/iSulad.spec b/iSulad.spec index d9e894f..b450799 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.1.5 -%global _release 18 +%global _release 19 %global is_systemd 1 %global enable_criv1 1 %global enable_cdi 1 @@ -10,6 +10,7 @@ %ifarch x86_64 aarch64 %global enable_nri 1 %global enable_sandboxer 1 +%global enable_remote_image 1 %endif Name: iSulad @@ -196,6 +197,31 @@ Patch0172: 0172-image-store-fix-code-style.patch Patch0173: 0173-bugfix-mem-leak.patch Patch0174: 0174-bugfix-for-parse_http_header.patch Patch0175: 0175-add-layer-storage-ut-test.patch +Patch0176: 0176-add-registry-ut-test.patch +Patch0177: 0177-add-loongarch64-support.patch +Patch0178: 0178-add-storage-driver-ut.patch +Patch0179: 0179-iSulad-support-shim-stats-cmd.patch +Patch0180: 0180-fix-storage-driver-ut.patch +Patch0181: 0181-apply-patch-for-lib-shim-v2-install.patch +Patch0182: 0182-fix-error-macro-isolation-memory-leak-and-meanless-r.patch +Patch0183: 0183-add-dt-for-cri-v1.patch +Patch0184: 0184-do-check-process-alive-read-pid-ppid-info-in-runtime.patch +Patch0185: 0185-sandbox-sandboxer-code-isolation.patch +Patch0186: 0186-UT-sandboxer-code-isolation.patch +Patch0187: 0187-remove-uncalled-functions-in-cri-v1.patch +Patch0188: 0188-sandbox-fix-memory-leak-in-fill-sandbox-metadate.patch +Patch0189: 0189-add-sandbox-pid-init-and-verify-sandbox-ready-when-c.patch +Patch0190: 0190-modified-the-procedure-of-start-pod-and-set-up-netwo.patch +Patch0191: 0191-bugfix-dereference-null-pointer.patch +Patch0192: 0192-modify-save-step-in-run-sandbox.patch +Patch0193: 0193-add-dt-for-cri-v1.patch +Patch0194: 0194-modify-the-CreateContainer-failed-return.patch +Patch0195: 0195-Add-some-unit-tests-for-sandbox-and-shim-controller.patch +Patch0196: 0196-add-remove-pod-in-cri-stats.patch +Patch0197: 0197-coco-support-confidential-containers.patch +Patch0198: 0198-isolate-isula-search-ut-in-registry_images_ut.patch +Patch0199: 0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch +Patch0200: 0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -280,6 +306,9 @@ cd build %endif %if 0%{?enable_sandboxer} -DENABLE_SANDBOXER=ON \ +%if 0%{?enable_remote_image} + -DENABLE_REMOTE_IMAGE=ON \ +%endif %endif %endif %if 0%{?enable_shimv2} @@ -463,6 +492,12 @@ fi %endif %changelog +* Mon May 12 2025 dongyuzhen - 2.1.5-19 +- Type:enhancement +- CVE:NA +- SUG:NA +- DESC:sync patches from upstream + * Mon Dec 30 2024 jingxiaolu - 2.1.5-18 - Type: bugfix - ID: NA -- Gitee